macsec: clear encryption keys from the stack after setting up offload

qsn · davem330 · commit aaab73f8fba4 · 2022-11-04T10:43:56.000Z
macsec_add_rxsa and macsec_add_txsa copy the key to an on-stack offloading context to pass it to the drivers, but leaves it there when it's done. Clear it with memzero_explicit as soon as it's not needed anymore. Fixes: 3cf3227 ("net: macsec: hardware offloading infrastructure") Signed-off-by: Sabrina Dubroca <sd@queasysnail.net> Reviewed-by: Antoine Tenart <atenart@kernel.org> Reviewed-by: Leon Romanovsky <leonro@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/drivers/net/macsec.c b/drivers/net/macsec.c
@@ -1839,6 +1839,7 @@ static int macsec_add_rxsa(struct sk_buff *skb, struct genl_info *info)
 		       secy->key_len);
 
 		err = macsec_offload(ops->mdo_add_rxsa, &ctx);
+		memzero_explicit(ctx.sa.key, secy->key_len);
 		if (err)
 			goto cleanup;
 	}
@@ -2081,6 +2082,7 @@ static int macsec_add_txsa(struct sk_buff *skb, struct genl_info *info)
 		       secy->key_len);
 
 		err = macsec_offload(ops->mdo_add_txsa, &ctx);
+		memzero_explicit(ctx.sa.key, secy->key_len);
 		if (err)
 			goto cleanup;
 	}

Original file line number	Diff line number	Diff line change
`@@ -1839,6 +1839,7 @@ static int macsec_add_rxsa(struct sk_buff skb, struct genl_info info)`
`1839`	`1839`	`secy->key_len);`
`1840`	`1840`
`1841`	`1841`	`err = macsec_offload(ops->mdo_add_rxsa, &ctx);`
	`1842`	`+ memzero_explicit(ctx.sa.key, secy->key_len);`
`1842`	`1843`	`if (err)`
`1843`	`1844`	`goto cleanup;`
`1844`	`1845`	`}`
`@@ -2081,6 +2082,7 @@ static int macsec_add_txsa(struct sk_buff skb, struct genl_info info)`
`2081`	`2082`	`secy->key_len);`
`2082`	`2083`
`2083`	`2084`	`err = macsec_offload(ops->mdo_add_txsa, &ctx);`
	`2085`	`+ memzero_explicit(ctx.sa.key, secy->key_len);`
`2084`	`2086`	`if (err)`
`2085`	`2087`	`goto cleanup;`
`2086`	`2088`	`}`