Re: [PATCH] lib/crypto: chacha - Zeroize permuted_state before it leaves scope

Next message: Armin Wolf: "Re: [PATCH v3 0/9] Convert most Dell WMI drivers to use the new buffer-based API"
Previous message: Jan Hoffmann: "[PATCH net-next v2] net: phy: realtek: support MDI swapping for RTL8226-CG"
In reply to: Ard Biesheuvel: "Re: [PATCH] lib/crypto: chacha - Zeroize permuted_state before it leaves scope"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Biggers

Date: Fri Mar 27 2026 - 16:43:09 EST

On Wed, Mar 25, 2026 at 08:29:20PM -0700, Eric Biggers wrote:
> Since the ChaCha permutation is invertible, the local variable
> 'permuted_state' is sufficient to compute the original 'state', and thus
> the key, even after the permutation has been done.
>
> While the kernel is quite inconsistent about zeroizing secrets on the
> stack (and some prominent userspace crypto libraries don't bother at all
> since it's not guaranteed to work anyway), the kernel does try to do it
> as a best practice, especially in cases involving the RNG.
>
> Thus, explicitly zeroize 'permuted_state' before it goes out of scope.
>
> Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
>
> This patch is targeting libcrypto-fixes

Applied to https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=libcrypto-fixes

- Eric