Received: by 2002:a6b:fb09:0:0:0:0:0 with SMTP id h9csp6093215iog;
        Thu, 23 Jun 2022 11:10:01 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1uTebkyptogyW/5mWU72LoVtvW2Tb5C55sJQe0QFRxZ3Ibjz59NkVCdINR1M9zLJg/4rZXV
X-Received: by 2002:aa7:de88:0:b0:435:9a54:168a with SMTP id j8-20020aa7de88000000b004359a54168amr12286569edv.73.1656007801690;
        Thu, 23 Jun 2022 11:10:01 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1656007801; cv=none;
        d=google.com; s=arc-20160816;
        b=d3obU1ZhZegwappFOt1FHgrUGyx/IRWoG6RQk2xoirOrk3k0U+GgDeinyj4/joIzZm
         VaV2lQIIpOqT2/W6UzEloNy/G3CL5HrPdYK0f4/xV2S9ghQb1wt0usGo6ksra3PaccMH
         4KrGXPN4XS9HI+4POSznFlrX75NkJd035XeK4+ZTMCo0WqpBHT6PzDJbLHDA1/Ezk6s1
         DLsW21ps3snHqZvFvR38Ls2iLvJAoBE9HYWHosWVCit5E+4Q/y+8DWT1dnvUb8GGAaZi
         bKHoTmZbkuJuFrZZXKFvzefOFeIgqPx9q7klTTdmDC7ynJvNSQPPj5v/uCAZrFYvrl2t
         MY3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=zEYQcRqLfdxe0nQvKrDJTkzAcUTIItKsB2FvsEh/lDk=;
        b=ccrxemTv9dECYZ09n50RepNWDFOjtLnkdmHfPGF433HcsFFA1rwkreWVOq61QhLda6
         XlQK9KZM7wHNcuDeu5sY+uKedrp5zZTHfFCHKJRtroCOXvlPbEjf3qlgE8PO2WGlJ26b
         CoahG3Ap0oqptqswU4aynzK26QAaII8tbB7SUEEL2SYvu7Defpx8/GCxDvv40J9Sq7sU
         KhJQA2M/yHaF/jBBvTKTMjp6YFUi24J1ab7D/RSLGP+OUVXtFBpJxRflu4TNkfrfVE1+
         H8IW5jmdV8kl6dx7StG8EPft+LFuDTBeRr87Edl06x34I+JXOXSZhSUke+K50MAQHYz3
         ffNw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KfFnKs53;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id u7-20020a170906108700b007080395ddefsi12084968eju.495.2022.06.23.11.09.32;
        Thu, 23 Jun 2022 11:10:01 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=KfFnKs53;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236202AbiFWSH1 (ORCPT <rfc822;aki.vanness@gmail.com>
        + 99 others); Thu, 23 Jun 2022 14:07:27 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45390 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S236021AbiFWSGR (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 23 Jun 2022 14:06:17 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 16EBE885B2;
        Thu, 23 Jun 2022 10:18:52 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id 8AF47B824C1;
        Thu, 23 Jun 2022 17:18:50 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id E574EC3411B;
        Thu, 23 Jun 2022 17:18:48 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1656004729;
        bh=9JiLLKEFF08OHQyTD9XgRz6e6ElIK4pPXkGN/Qn6wj4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=KfFnKs53CNa6fQJm19tWsMxNYXlACjV5QACMdnsKBmzJvot7eHb8Jqof1eSksPm0+
         QcJ9r9ZQ9ttUBgRClA6nBe17mHrLctXvGee74Abu4dC3V7xFwuH4NRv+MfZRZGXNO7
         gQm/Zy3T5ya/RL5KFoVpSmGx0vfcQ8i41lzLc/70=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Eric Biggers <ebiggers@kernel.org>,
        Eric Biggers <ebiggers@google.com>,
        "Jason A. Donenfeld" <Jason@zx2c4.com>
Subject: [PATCH 4.19 132/234] random: document crng_fast_key_erasure() destination possibility
Date:   Thu, 23 Jun 2022 18:43:19 +0200
Message-Id: <20220623164346.794416464@linuxfoundation.org>
X-Mailer: git-send-email 2.36.1
In-Reply-To: <20220623164343.042598055@linuxfoundation.org>
References: <20220623164343.042598055@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: "Jason A. Donenfeld" <Jason@zx2c4.com>

commit 8717627d6ac53251ee012c3c7aca392f29f38a42 upstream.

This reverts 35a33ff3807d ("random: use memmove instead of memcpy for
remaining 32 bytes"), which was made on a totally bogus basis. The thing
it was worried about overlapping came from the stack, not from one of
its arguments, as Eric pointed out.

But the fact that this confusion even happened draws attention to the
fact that it's a bit non-obvious that the random_data parameter can
alias chacha_state, and in fact should do so when the caller can't rely
on the stack being cleared in a timely manner. So this commit documents
that.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/char/random.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -318,6 +318,13 @@ static void crng_reseed(void)
  * the resultant ChaCha state to the user, along with the second
  * half of the block containing 32 bytes of random data that may
  * be used; random_data_len may not be greater than 32.
+ *
+ * The returned ChaCha state contains within it a copy of the old
+ * key value, at index 4, so the state should always be zeroed out
+ * immediately after using in order to maintain forward secrecy.
+ * If the state cannot be erased in a timely manner, then it is
+ * safer to set the random_data parameter to &chacha_state[4] so
+ * that this function overwrites it before returning.
  */
 static void crng_fast_key_erasure(u8 key[CHACHA20_KEY_SIZE],
 				  u32 chacha_state[CHACHA20_BLOCK_SIZE / sizeof(u32)],