From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E222D3ACF16; Wed, 8 Apr 2026 18:33:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775673192; cv=none; b=VzWYJCXUvMDduQSvxKnppTqc0uI149R35KI7I4NruJFkTTDp3QpXaStr1uKp3bubgWzWt/oMfOEDA6klXDBR39zj9tbNdgtVFbXqoX243P6MJPYTXm2Bmn3EeiEY+Nn1Iqqg0FZ1L3prQVXFzuMDXvnEFlGr2/wFFPfE+fLapNQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1775673192; c=relaxed/simple; bh=S/3KCJGT0PjMb9BA1PRjfk/99yQQRX2Bx/kKJ/KC2cE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BXXLB5/Rx3DXarvGcNpDAWI+e29XKNXPyfXmtXW2PKkRpIKwy9tWL/e6W+bk8IzsLzHwS1jr7gfG/OUUfZG8YrlWEqwAh0CW8KiO/eCJg5xI7aNzWQ8u8huSOznEYlx3IWO3jCA9TbsLxkWJtIH+XQiVbLk0mOyjs5U5vuC/FzY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=PWXcHOVX; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="PWXcHOVX" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 794BCC19421; Wed, 8 Apr 2026 18:33:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1775673191; bh=S/3KCJGT0PjMb9BA1PRjfk/99yQQRX2Bx/kKJ/KC2cE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PWXcHOVXHMWbT422lAeJR331aL9Igeyf2eUFw50gU24w2I1JJNZp96y4M0vgHCCCH a15uf9DAM5M6qslyLm+7nivnCupwL6PyMzwUdptQHfyMy5a0AnSXcWI3s4wdx+NXo6 DyXPGIUBE6fosYGxe3Yk10ipvnJ49bcnFuHdly+M= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ard Biesheuvel , Eric Biggers Subject: [PATCH 6.18 136/277] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Date: Wed, 8 Apr 2026 20:02:01 +0200 Message-ID: <20260408175938.954167040@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260408175933.836769063@linuxfoundation.org> References: <20260408175933.836769063@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Eric Biggers commit e5046823f8fa3677341b541a25af2fcb99a5b1e0 upstream. Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize 'permuted_state' before it goes out of scope. Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation") Cc: stable@vger.kernel.org Acked-by: Ard Biesheuvel Link: https://lore.kernel.org/r/20260326032920.39408-1-ebiggers@kernel.org Signed-off-by: Eric Biggers Signed-off-by: Greg Kroah-Hartman --- lib/crypto/chacha-block-generic.c | 4 ++++ 1 file changed, 4 insertions(+) --- a/lib/crypto/chacha-block-generic.c +++ b/lib/crypto/chacha-block-generic.c @@ -87,6 +87,8 @@ void chacha_block_generic(struct chacha_ &out[i * sizeof(u32)]); state->x[12]++; + + chacha_zeroize_state(&permuted_state); } EXPORT_SYMBOL(chacha_block_generic); @@ -110,5 +112,7 @@ void hchacha_block_generic(const struct memcpy(&out[0], &permuted_state.x[0], 16); memcpy(&out[4], &permuted_state.x[12], 16); + + chacha_zeroize_state(&permuted_state); } EXPORT_SYMBOL(hchacha_block_generic);