Re: [PATCH] crypto: sun4i-ss - Remove insecure and unused rng_alg

Next message: Song Chen: "Re: [PATCH v3] kernel/bpf/btf.c: reject to register duplicated kfunc"
Previous message: Jonathan Cameron: "Re: [PATCH v3 2/2] iio: light: veml3328: add support for new device"
Next in thread: Eric Biggers: "Re: [PATCH] crypto: sun4i-ss - Remove insecure and unused rng_alg"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tianchu Chen

Date: Mon Jun 01 2026 - 05:25:45 EST

From: Tianchu Chen <flynnnchen@xxxxxxxxxxx>
In-Reply-To: <20260529193648.18172-1-ebiggers@xxxxxxxxxx>
References: <20260529193648.18172-1-ebiggers@xxxxxxxxxx>

On Fri, May 29, 2026 at 12:36:48PM -0700, Eric Biggers wrote:
> Remove sun4i_ss_rng, as it is insecure and unused:
>
> - It has multiple vulnerabilities. sun4i_ss_prng_seed() is missing
> locking and has a buffer overflow.

Thanks for cleaning this up.

For the record, the sun4i_ss_prng_seed() buffer overflow you mention here
is the same issue we reported earlier with a targeted fix:
https://lore.kernel.org/linux-crypto/20260529194152.GA3628@quark/

It is an unauthenticated, unbounded memcpy() into the 24-byte ss->seed[]
buffer, reachable from any user via AF_ALG ALG_SET_KEY with no privileges
on affected Allwinner sun4i hardware.

Please note that this should be treated as a security fix. For the earlier
stable releases, keeping the rng_alg but adding a proper bounds check in
sun4i_ss_prng_seed() might still be a preferable option to consider.

Given the above, would you mind adding the following trailers to the commit
message? Besides crediting the discovery and report, they would also make
this security issue easier to track and reference across the stable trees:

Discovered by Atuin - Automated Vulnerability Discovery Engine
Reported-by: Tianchu Chen <flynnnchen@xxxxxxxxxxx>

Thanks,
Tianchu