Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6050801iog;
        Thu, 23 Jun 2022 10:16:59 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1sySeUEsMgjmKITt8UdM6Y7VcuePfsAaJ4gnfwBNET87LHYRFRZaHSrm57hsuQx0eKyYVjm
X-Received: by 2002:a05:6402:606:b0:435:72af:4680 with SMTP id n6-20020a056402060600b0043572af4680mr11878291edv.224.1656004619629;
        Thu, 23 Jun 2022 10:16:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656004619; cv=none;
        d=google.com; s=arc-20160816;
        b=hG0dDIqOcEcc9tlH/K/kg4tEV2cQiPKHPEJM9GUzKSS7CHgkYCTo5RTGVkjL7StmMo
         NftyOJLZto0YqTs7ft84cnXfdyEVX+jO+yECQ3M9cJSxyq/TsAJFURDfOvssAVG+HnwO
         0oxCh2FthdToRi3L8uaX9rNV+m1xve9tY1ufImpBLVABkJpATR3zhbYsN/HKckqAkSYF
         zlm0J+lHpceMxjRq2b0cVIc0hLxcojRR93pswAi2/wwEm+WedW8VSaXsLKJsABWk+vPU
         q7ITS5nOELjadNdeL+d/4QVrHlhVEsiXmDibvu3A+L8qdaqbYfcaLH0BjLbWi+/KwAQ3
         3PQQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=cVSox1NYDpkF7mQ/h4mgAeOiNJeQNT0XD/69ggzCd0w=;
        b=rZMGfnB7dxreGQ3z8lkQABHJXOYJuYEM5eMRPfJWcRnG+uIFSP2PKWkzReSriN8loN
         a2iZWT07jh197lBdMWJkB8uv7rF99Hb13MY1GMY6XvyxNi4BTl7herNPEL5BOn+JLOEB
         fJvPldaHIDnGdUxvkAZPI1bvSWszij+yiaLzLXpHk3xLgqs1Sp48oCsWsiglPDUd19AI
         wHud4rtmM1oIN6KKQ/fltfiBajHC9xWkAZ46xkZxJdAxjzX71dbi1gbvDszcexKF0CRw
         /1E16m7hJOI7Bzmv1t5WJiDyfP9kfNHkBpLAW9MwSk2AW6+kgCrVqKwziXfUVgpDyeLR
         FWIg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pY6i4KSe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id c20-20020a05640227d400b00435c05a5304si203146ede.11.2022.06.23.10.16.33;
        Thu, 23 Jun 2022 10:16:59 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=pY6i4KSe;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231534AbiFWRKC (ORCPT <rfc822;aki.vanness@gmail.com>
        + 99 others); Thu, 23 Jun 2022 13:10:02 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55856 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S233418AbiFWRHp (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Jun 2022 13:07:45 -0400
Received: from sin.source.kernel.org (sin.source.kernel.org [145.40.73.55])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C318252E55;
        Thu, 23 Jun 2022 09:56:30 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by sin.source.kernel.org (Postfix) with ESMTPS id DBA94CE24F9;
        Thu, 23 Jun 2022 16:56:10 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id CF616C3411B;
        Thu, 23 Jun 2022 16:56:08 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1656003369;
        bh=jKwOCD3iF9wYPqRmpvf4Yrtz6v13f7791ZEt2uNgWrU=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=pY6i4KSe4TXM0PoXuCYZxi0mo2oWGwmE1FkNS06OF7Vc5HnUO2w3FS+9MhEG50kxE
         T+tlWbvryiwg9hzvrhcoebQ9yb3+Qg4S5DnIBb6c5ATUzzGSufL9hLoSImYbCUB+b+
         z7MEVxRl4cmF6QpphDaFfo6/o4rYHHitFt3zY2JM=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>,
        Eric Biggers <ebiggers@google.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH 4.9 175/264] random: document crng_fast_key_erasure() destination possibility
Date:   Thu, 23 Jun 2022 18:42:48 +0200
Message-Id: <20220623164349.017728063@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220623164344.053938039@linuxfoundation.org>
References: <20220623164344.053938039@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

commit 8717627d6ac53251ee012c3c7aca392f29f38a42 upstream.

This reverts 35a33ff3807d ("random: use memmove instead of memcpy for
remaining 32 bytes"), which was made on a totally bogus basis. The thing
it was worried about overlapping came from the stack, not from one of
its arguments, as Eric pointed out.

But the fact that this confusion even happened draws attention to the
fact that it's a bit non-obvious that the random_data parameter can
alias chacha_state, and in fact should do so when the caller can't rely
on the stack being cleared in a timely manner. So this commit documents
that.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/random.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -319,6 +319,13 @@ static void crng_reseed(void)
  * the resultant ChaCha state to the user, along with the second
  * half of the block containing 32 bytes of random data that may
  * be used; random_data_len may not be greater than 32.
+ *
+ * The returned ChaCha state contains within it a copy of the old
+ * key value, at index 4, so the state should always be zeroed out
+ * immediately after using in order to maintain forward secrecy.
+ * If the state cannot be erased in a timely manner, then it is
+ * safer to set the random_data parameter to &chacha_state[4] so
+ * that this function overwrites it before returning.
  */
 static void crng_fast_key_erasure(u8 key[CHACHA20_KEY_SIZE],
 				  u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],