Linux Kernel ChaCha Crypto Library Vulnerability in Permutation State Handling

A vulnerability exists in the Linux kernel's handling of the ChaCha20 permutation within the crypto library. The issue arises because the permutation is invertible, allowing the local variable 'permuted_state' to be used to reconstruct the original 'state' and key, even after the permutation. This vulnerability is present in the Linux kernel stable tree. The problem stems from the kernel's inconsistent practice of zeroing out sensitive data on the stack, a flaw that some widely used user-space crypto libraries also share. However, the kernel attempts to follow best practices, particularly regarding the random number generator (RNG). To mitigate this vulnerability, 'permuted_state' should be explicitly zeroed before it goes out of scope.

Impact

Failure to properly zeroize the 'permuted_state' variable could lead to unintentional exposure of cryptographic keys, as the permuted state can be used to compute the original state and key.

Reproduction

The vulnerability can be reproduced by using the ChaCha20 implementation in the Linux kernel's crypto library. After the 'permuted_state' variable is used in the encryption process, it should be zeroed before the function exits. The vulnerability occurs because this zeroing step is missing, leaving the key data accessible.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version that includes this fix.