On Mon, May 04, 2026 at 02:59:41AM -0400, Demi Marie Obenour wrote:
> On 5/4/26 02:56, Eric Biggers wrote:
> > On Mon, May 04, 2026 at 02:54:27AM -0400, Demi Marie Obenour wrote:
> >> On 5/4/26 02:15, Eric Biggers wrote:
> >>> The zero-copy support is one of the riskiest aspects of AF_ALG. It
> >>> allows userspace to request cryptographic operations directly on
> >>> pagecache pages of files like the 'su' binary. It also allows userspace
> >>> to concurrently modify the memory which is being operated on, a huge
> >>> recipe for TOCTOU vulnerabilities.
> >>>
> >>> While zero-copy support is more valuable in other areas of the kernel
> >>> like the frequently used networking and file I/O code, it has far less
> >>> value in AF_ALG, which is a niche UAPI. AF_ALG primarily just exists
> >>> for backwards compatibility with a small set of userspace programs such
> >>> as 'iwd' that haven't yet been fixed to use userspace crypto code.
> >>>
> >>> Originally AF_ALG was intended to be used to access hardware crypto
> >>> accelerators. However, it isn't an efficient interface for that anyway,
> >>> and it turned out to be rarely used in this way in practice.
> >>>
> >>> Thus, the risks of the zero-copy support in AF_ALG vastly outweigh its
> >>> benefits. Just remove it.
> >>>
> >>> Note that this isn't a hard break, since the splice syscall is still
> >>> supported. The data is just now copied instead. So it still works,
> >>> just a bit slower in some cases.
> >>>
> >>> Tested with libkcapi/test.sh. All its test cases still pass. I also
> >>> verified that this would have prevented the copy.fail exploit as well.
> >>>
> >>> Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for
> >>> skcipher operations")
> >>> Fixes: 400c40cf78da ("crypto: algif - add AEAD support")
> >>> Reported-by: Taeyang Lee <[email protected]>
> >>> Reported-by: Feng Ning <[email protected]>
> > [...]
> >> In light of
> >> https://lore.kernel.org/all/[email protected]/,
> >> yes please!
> >>
> >> Should there be a Link: tag referencing that email?
> >
> > Yes I forgot to put that in, sorry. It should go after the second
> > Reported-by:
> >
> > Link: https://lore.kernel.org/r/[email protected]
> >
> > - Eric
>
> Should this also link to copy.fail or a related email?
Sure. I'll go ahead and resend right away, so it doesn't get applied
without the links.
- Eric
