lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250512092808.3741865-1-zilin@seu.edu.cn>
Date: Mon, 12 May 2025 09:28:08 +0000
From: Zilin Guan <zilin@....edu.cn>
To: steffen.klassert@...unet.com
Cc: herbert@...dor.apana.org.au,
	davem@...emloft.net,
	edumazet@...gle.com,
	kuba@...nel.org,
	pabeni@...hat.com,
	horms@...nel.org,
	netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	jianhao.xu@....edu.cn,
	Zilin Guan <zilin@....edu.cn>
Subject: [RFC PATCH] xfrm: use kfree_sensitive() for SA secret zeroization

The XFRM subsystem supports redaction of Security Association (SA)
secret material when CONFIG_SECURITY lockdown for XFRM secrets is active.
High-level copy_to_user_* APIs already omit secret fields, but the
state destruction path still invokes plain kfree(), which does not zero
the underlying memory before freeing. This can leave SA keys and
other confidential data in memory, risking exposure via post-free
vulnerabilities.

This patch modifies __xfrm_state_destroy() so that, if SA secret
redaction is enabled, it calls kfree_sensitive() on the aead, aalg and
ealg structs, ensuring secure zeroization prior to deallocation. When
redaction is disabled, the existing kfree() behavior is preserved.

Note that xfrm_redact() is the identical helper function as implemented
in net/xfrm/xfrm_user.c. And this patch is an RFC to seek feedback on
whether this change is appropriate and if there is a better patch method.

Signed-off-by: Zilin Guan <zilin@....edu.cn>
---
 net/xfrm/xfrm_state.c | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 341d79ecb5c2..b6f2c329ea9d 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -593,15 +593,28 @@ void xfrm_state_free(struct xfrm_state *x)
 }
 EXPORT_SYMBOL(xfrm_state_free);
 
+static bool xfrm_redact(void)
+{
+	return IS_ENABLED(CONFIG_SECURITY) &&
+		security_locked_down(LOCKDOWN_XFRM_SECRET);
+}
+
 static void ___xfrm_state_destroy(struct xfrm_state *x)
 {
+	bool redact_secret = xfrm_redact();
 	if (x->mode_cbs && x->mode_cbs->destroy_state)
 		x->mode_cbs->destroy_state(x);
 	hrtimer_cancel(&x->mtimer);
 	timer_delete_sync(&x->rtimer);
-	kfree(x->aead);
-	kfree(x->aalg);
-	kfree(x->ealg);
+	if (redact_secret) {
+		kfree_sensitive(x->aead);
+		kfree_sensitive(x->aalg);
+		kfree_sensitive(x->ealg);
+	} else {
+		kfree(x->aead);
+		kfree(x->aalg);
+		kfree(x->ealg);
+	}
 	kfree(x->calg);
 	kfree(x->encap);
 	kfree(x->coaddr);
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ