CVE-2024-42098

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: ecdh - explicitly zeroize private_key<br /> <br /> private_key is overwritten with the key parameter passed in by the<br /> caller (if present), or alternatively a newly generated private key.<br /> However, it is possible that the caller provides a key (or the newly<br /> generated key) which is shorter than the previous key. In that<br /> scenario, some key material from the previous key would not be<br /> overwritten. The easiest solution is to explicitly zeroize the entire<br /> private_key array first.<br /> <br /> Note that this patch slightly changes the behavior of this function:<br /> previously, if the ecc_gen_privkey failed, the old private_key would<br /> remain. Now, the private_key is always zeroized. This behavior is<br /> consistent with the case where params.key is set and ecc_is_key_valid<br /> fails.