From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f53.google.com (mail-wm1-f53.google.com [209.85.128.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 216BA3438AE for ; Fri, 29 May 2026 09:43:42 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.53 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780047824; cv=none; b=FlnRXelIto+peTGmsNoQQgHnKIuwW7JoDS30wJQCLYhvbZM+L1yYaeEa2DWK6kQoIrG0yVXkKEaGxkBQBLzn6x+y19JAHNKRCJc0OzEjfWbtmLE073dGWyrvzHROTzqjedO+vvPilxgFkVOfXTTEP1Dhyip44qjcvill+O3xINs= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780047824; c=relaxed/simple; bh=nUqj6e6W+fTzzVcLBUpy5rvjFNaY+mC3XbzNoDLkAoI=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=YaZVmhDS9CJ9WoCV5PT+efx92nsBwCMW8SR7ub4anPPWgH/mGqm2A4dBbComK/7FtJjURjrho7v7JbGEn9umKKtfNy0NGKQi9ZUokQqzqr3eUxAfWjL0xVjgKK0C1D5FRc8+YdPqKdQEQqDYy898FT5AkRJU1KA3+VCyjIhVOpI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=q3Ji75Cg; arc=none smtp.client-ip=209.85.128.53 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="q3Ji75Cg" Received: by mail-wm1-f53.google.com with SMTP id 5b1f17b1804b1-490791a3e92so3352545e9.0 for ; Fri, 29 May 2026 02:43:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780047821; x=1780652621; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Y8R0NpUKrRUzKTBjBaspaFed3TgMMb8WXLvF6QWVgQA=; b=q3Ji75Cg7G0P6/kaaPjR1kJlZSKJWn4SoTNu+zFd7OFfiXuJTPbA97NI0yaYAXCxF3 Zi+dtjCXfJ+gHLWwfGSDg2xaeh1dQ6o1PtZZ0MgBNxTCywekuy2/OUHSJwPKgzQhGpv3 5DtdPGhaIhdgOVDgQdj/0oBAMYj+W7jcVsJb8ZtbSzfZ9x2MR2EssS0+W+qpSBGeaA0a ur981DEE/LcuPnIa24XNu29qBueKtMqiuyYqFOLE5JXvQbjE939Emgk+uph+t4zwQOQ/ 8EFPvOPJ+8eurHspzXnzD+K/bn8wvhhtykpu8pYB/htjtu07FFPE/F1qa/vrtzfnCd1O vPzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780047821; x=1780652621; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Y8R0NpUKrRUzKTBjBaspaFed3TgMMb8WXLvF6QWVgQA=; b=TXW/klKCBayI4w5B92Zo+jfyAZLaNx/kKk+M3Qb4SFiw/gO9mwYDPwJyUblbVskLqk wuvaGVwWxQVWqJHSPphMzC9bcUQhzm39aF4mwCfzCKb1HRzWVjsyVi5woKm96cvPbRML ByWGTeM6tEFseDRZJo8U8+GYAsTgygXxnqXLxa32QAzaqc2hboDvinV9WI1WTu6vUmuq RuReTqKGLrZuCz1kGtspgaeIC63ivTGvvrjDjV9TVTejBbjalihNB+XAOTiZhiiZZ6JL /MONerRF2qNNKOrNC7hjnxkW/LRZVNtnXxtJxuOpeX4J3dWC1STK27TuU0JXjeRbEZqa OVyw== X-Forwarded-Encrypted: i=1; AFNElJ9myc4oMu9BY5p+bY2uSAfahtbHOvjapjTs3EoMnKCeQUfspiUIOXGjgKNf5YQX/Txd0YCTnMI+i+V7HHw=@vger.kernel.org X-Gm-Message-State: AOJu0YzDKI7eHHHJoB3gk3tvywdNORS5Zw4k8N8PWBAHJeFEYAs4iKEU YP1L4Q8W2gFhHqNZ0agO1GgLPctK9ADDx9A+QaiA/QVUBEvI2V3oLT50 X-Gm-Gg: Acq92OGxaZfEeaGag4Vm1RP54JBBoQx8eAY9o2Vl1uSDL4QL/deO6ygsVJXQCN786ja E8JHcOXqWahsI7v7XD9FAyMol/UYOJPkkp6/a2Jgti9WkkRs6EHL1UNnIcA6nLNeubo1IglFP9/ OZyiroiKokNMHGRv0+ga8/MbarDug3Q7thATZRe5pXyDp14H4y0UhQ+/pKrR83ASad6E66wjsiA 5csEbgqWwqyxfv3OzaxKEQuJHh8sfNjx0hRM8E9DsKtn0eu9MKCcEUxOIs2v55AJY50WFU85Chg zucIdYufTeXLt2zTSEWDQBiZQ7ufDsG6NV20BxVKX5YSrOAgZBt93Sswf+GDbdSDpdv7a8vlLPM AvBnWIXIeqdZcCub3QPuKH6H8TncJSdiCCmZNrzTWp5bSoIh9Py8Eym9HEAGSy+A3cs9IgAxC+N k9LIEsXZCmxZlyBDh4n0sfQ4a1bQ1qlV7O/qOKx8a5cn7/+ew+PDqCSuj/iN1m/34/6+nvsB815 w== X-Received: by 2002:a05:600c:4686:b0:485:f1d6:2b1d with SMTP id 5b1f17b1804b1-4909c03bd6fmr17670255e9.0.1780047821322; Fri, 29 May 2026 02:43:41 -0700 (PDT) Received: from menon.v.cablecom.net (84-74-0-139.dclient.hispeed.ch. [84.74.0.139]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4909c07ee36sm14116865e9.0.2026.05.29.02.43.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 May 2026 02:43:40 -0700 (PDT) From: Lothar Rubusch To: thorsten.blum@linux.dev, herbert@gondor.apana.org.au, davem@davemloft.net, nicolas.ferre@microchip.com, alexandre.belloni@bootlin.com, claudiu.beznea@tuxon.dev, ardb@kernel.org, krzk+dt@kernel.org Cc: linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, l.rubusch@gmail.com Subject: [PATCH 1/1] crypto: atmel-sha204a - fix heap info leak on I2C transfer failure Date: Fri, 29 May 2026 09:43:36 +0000 Message-Id: <20260529094336.33809-1-l.rubusch@gmail.com> X-Mailer: git-send-email 2.39.5 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit When a non-blocking read operation is requested, the driver dynamically allocates memory to track asynchronous transfer status. If the underlying I2C transmission fails, atmel_sha204a_rng_done() logs a rate-limited warning but incorrectly proceeds to cache the pointer to this uninitialized buffer inside the rng->priv data field anyway. On subsequent execution passes, atmel_sha204a_rng_read_nonblocking() detects the stale rng->priv value, skips executing a hardware data read, and copies up to 32 bytes of uninitialized kernel heap data from this garbage memory pool straight back into the system's hwrng data stream. Fix this information disclosure vector by immediately releasing the allocated asynchronous work data buffer and explicitly clearing the tracking pointer context whenever an I2C transaction returns a non-zero error status. Additionally, duplicate the tfm counter decrement within the new error path to ensure the reference counter is properly released before executing the early return, maintaining the driver's availability for subsequent requests. Fixes: da001fb651b0 ("crypto: atmel-i2c - add support for SHA204A random number generator") Signed-off-by: Lothar Rubusch --- drivers/crypto/atmel-sha204a.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/drivers/crypto/atmel-sha204a.c b/drivers/crypto/atmel-sha204a.c index 4c9af737b33a..20cd915ea8a3 100644 --- a/drivers/crypto/atmel-sha204a.c +++ b/drivers/crypto/atmel-sha204a.c @@ -31,10 +31,15 @@ static void atmel_sha204a_rng_done(struct atmel_i2c_work_data *work_data, struct atmel_i2c_client_priv *i2c_priv = work_data->ctx; struct hwrng *rng = areq; - if (status) + if (status) { dev_warn_ratelimited(&i2c_priv->client->dev, "i2c transaction failed (%d)\n", status); + kfree(work_data); + rng->priv = 0; + atomic_dec(&i2c_priv->tfm_count); + return; + } rng->priv = (unsigned long)work_data; atomic_dec(&i2c_priv->tfm_count); base-commit: 5624ea54f3ba5c83d2e5503411a31a8be0278c1e -- 2.53.0