| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20250512105855.3748230-1-zilin@seu.edu.cn>
Date: Mon, 12 May 2025 10:58:55 +0000
From: Zilin Guan <zilin@....edu.cn>
To: anthony.l.nguyen@...el.com
Cc: przemyslaw.kitszel@...el.com,
andrew+netdev@...n.ch,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
intel-wired-lan@...ts.osuosl.org,
netdev@...r.kernel.org,
linux-kernel@...r.kernel.org,
jianhao.xu@....edu.cn,
Zilin Guan <zilin@....edu.cn>
Subject: [PATCH] ixgbe/ipsec: use memzero_explicit() for stack SA structs
The function ixgbe_ipsec_add_sa() currently uses memset() to zero out
stack-allocated SA structs (rsa and tsa) before return, but the gcc-11.4.0
compiler optimizes these calls away. This leaves sensitive key and salt
material on the stack after return.
Replace these memset() calls with memzero_explicit() to prevent the
compiler from optimizing them away. This guarantees that the SA key and
salt are reliably cleared from the stack.
Signed-off-by: Zilin Guan <zilin@....edu.cn>
---
drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
index 07ea1954a276..e8c84f7e937b 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ipsec.c
@@ -678,7 +678,7 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs,
} else {
/* no match and no empty slot */
NL_SET_ERR_MSG_MOD(extack, "No space for SA in Rx IP SA table");
- memset(&rsa, 0, sizeof(rsa));
+ memzero_explicit(&rsa, sizeof(rsa));
return -ENOSPC;
}
@@ -727,7 +727,7 @@ static int ixgbe_ipsec_add_sa(struct xfrm_state *xs,
ret = ixgbe_ipsec_parse_proto_keys(xs, tsa.key, &tsa.salt);
if (ret) {
NL_SET_ERR_MSG_MOD(extack, "Failed to get key data for Tx SA table");
- memset(&tsa, 0, sizeof(tsa));
+ memzero_explicit(&tsa, sizeof(tsa));
return ret;
}
--
2.34.1
Powered by blists - more mailing lists