From: Eric Biggers <ebiggers@kernel.org> mainline inclusion from mainline-v7.0-rc7 commit e5046823f8fa3677341b541a25af2fcb99a5b1e0 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14894 CVE: CVE-2026-43336 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Since the ChaCha permutation is invertible, the local variable 'permuted_state' is sufficient to compute the original 'state', and thus the key, even after the permutation has been done. While the kernel is quite inconsistent about zeroizing secrets on the stack (and some prominent userspace crypto libraries don't bother at all since it's not guaranteed to work anyway), the kernel does try to do it as a best practice, especially in cases involving the RNG. Thus, explicitly zeroize 'permuted_state' before it goes out of scope. Fixes: c08d0e647305 ("crypto: chacha20 - Add a generic ChaCha20 stream cipher implementation") Cc: stable@vger.kernel.org Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20260326032920.39408-1-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Conflicts: lib/chacha20.c lib/crypto/chacha-block-generic.c [Commit 1ca1b917940c ("crypto: chacha20-generic - refactor to allow varying number of rounds") was not merged. File name change.] Signed-off-by: Yi Yang <yiyang13@huawei.com> --- lib/chacha20.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/lib/chacha20.c b/lib/chacha20.c index d907fec6a9ed..d78cf2e6c360 100644 --- a/lib/chacha20.c +++ b/lib/chacha20.c @@ -70,5 +70,7 @@ void chacha20_block(u32 *state, u8 *stream) put_unaligned_le32(x[i] + state[i], &stream[i * sizeof(u32)]); state[12]++; + + memzero_explicit(x, sizeof(x)); } EXPORT_SYMBOL(chacha20_block); -- 2.25.1