autopatch/kernel-rt
5
0
Fork 0
Code Issues Pull Requests Releases Activity

CVE-2026-31431: include full set of crypto AEAD/algif fixes (incl. memcpy_sglist refactors)

Browse Source
This commit is contained in:
Andrew Lukoshko 2026-04-30 14:35:08 +02:00
parent c6a6a6451d
commit 9d1c747ebf
2 changed files with 403 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
config.yaml
View File

@ -175,7 +175,7 @@ actions:
- name: "Andrew Lukoshko"
email: "alukoshko@almalinux.org"
line:
- "CVE-2026-31431 (Copy Fail): backport crypto AEAD/algif fixes from stable-5.10.y"
- "CVE-2026-31431 (Copy Fail): backport crypto AEAD/algif fixes from stable-5.10.y (full set)"
- "hpsa: bring back deprecated PCI ids #CFHack #CFHack2024"
- "mptsas: bring back deprecated PCI ids #CFHack #CFHack2024"
- "megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024"

433
files/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
View File

@ -3,25 +3,33 @@ Subject: [PATCH] CVE-2026-31431 ("Copy Fail"): crypto AEAD/algif fixes for EL8
Backport addressing CVE-2026-31431 ("Copy Fail"), reported by Taeyang Lee
<0wn@theori.io>. EL8 kernel is based on 4.18.0; the closest stable
branch with these fixes is linux-5.10.y. Upstream commits applied where
they fit, plus manual adjustments where 4.18 diverges from 5.10.
Stable-5.10.y commits included:
branch with these fixes is linux-5.10.y. All 10 stable-5.10.y commits
are included, plus one prerequisite (committed 2026-01-30).
df22c9a65e9a crypto: authencesn - reject too-short AAD (assoclen<8) [prereq, committed 2026-01-30]
534b7f208c60 crypto: scatterwalk - Backport memcpy_sglist()
893d22e0135f crypto: algif_aead - Revert to operating out-of-place [adapted: el8 uses crypto_aead_copy_sgl(null_tfm,...) instead of memcpy_sglist]
488f9c3ab90e crypto: algif_aead - use memcpy_sglist() instead of null skcipher
893d22e0135f crypto: algif_aead - Revert to operating out-of-place
08ea39a556ec crypto: algif_aead - snapshot IV for async AEAD requests
8c62f6185765 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption [last hunk adapted: el8 uses crypto_authenc_esn_copy()]
274857bb1fbe crypto: authenc - use memcpy_sglist() instead of null skcipher
8c62f6185765 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption
88881da57e60 crypto: authencesn - Fix src offset when decrypting in-place
fa48d3ea9cdb crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
74a66fdb5282 crypto: algif_aead - Fix minimum RX size check for decryption
Refactor-only commits skipped (not security-relevant; el8 keeps the
existing null_tfm copy path):
Manual adjustments where 4.18 diverges from 5.10:
- 488f9c3ab90e: el8 uses crypto_skcipher (not crypto_sync_skcipher) and
has different aead_tfm/null_tfm structure layout; refactor adapted to
remove struct aead_tfm and the crypto_aead_copy_sgl helper.
- 893d22e0135f: af_alg.c docstring/signature updates adapted to el8's
older docstring style.
- 274857bb1fbe: el8 has crypto_authenc_esn_copy() and crypto_authenc_copy_assoc()
helpers (not memcpy_sglist); refactor adapted to remove these helpers.
- 8c62f6185765: hunk 4 manually re-applied to fit el8's pre-refactor code
shape, equivalent to the upstream post-refactor result.
488f9c3ab90e crypto: algif_aead - use memcpy_sglist() instead of null skcipher
274857bb1fbe crypto: authenc - use memcpy_sglist() instead of null skcipher
The (omitted) crypto: doc - fix kernel-doc notation patch (8b3843b1e3bc)
is purely cosmetic and is intentionally not included.
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
---
@ -122,11 +130,74 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
sg[i].length -= plen;
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -100,10 +100,11 @@
struct aead_tfm *aeadc = pask->private;
struct crypto_aead *tfm = aeadc->aead;
struct crypto_skcipher *null_tfm = aeadc->null_tfm;
@@ -30,8 +30,6 @@
#include <crypto/internal/aead.h>
#include <crypto/scatterwalk.h>
#include <crypto/if_alg.h>
-#include <crypto/skcipher.h>
-#include <crypto/null.h>
#include <linux/init.h>
#include <linux/list.h>
#include <linux/kernel.h>
@@ -40,19 +38,13 @@
#include <linux/net.h>
#include <net/sock.h>
-struct aead_tfm {
- struct crypto_aead *aead;
- struct crypto_skcipher *null_tfm;
-};
-
static inline bool aead_sufficient_data(struct sock *sk)
{
struct alg_sock *ask = alg_sk(sk);
struct sock *psk = ask->parent;
struct alg_sock *pask = alg_sk(psk);
struct af_alg_ctx *ctx = ask->private;
- struct aead_tfm *aeadc = pask->private;
- struct crypto_aead *tfm = aeadc->aead;
+ struct crypto_aead *tfm = pask->private;
unsigned int as = crypto_aead_authsize(tfm);
/*
@@ -68,27 +60,12 @@
struct alg_sock *ask = alg_sk(sk);
struct sock *psk = ask->parent;
struct alg_sock *pask = alg_sk(psk);
- struct aead_tfm *aeadc = pask->private;
- struct crypto_aead *tfm = aeadc->aead;
+ struct crypto_aead *tfm = pask->private;
unsigned int ivsize = crypto_aead_ivsize(tfm);
return af_alg_sendmsg(sock, msg, size, ivsize);
}
-static int crypto_aead_copy_sgl(struct crypto_skcipher *null_tfm,
- struct scatterlist *src,
- struct scatterlist *dst, unsigned int len)
-{
- SKCIPHER_REQUEST_ON_STACK(skreq, null_tfm);
-
- skcipher_request_set_tfm(skreq, null_tfm);
- skcipher_request_set_callback(skreq, CRYPTO_TFM_REQ_MAY_BACKLOG,
- NULL, NULL);
- skcipher_request_set_crypt(skreq, src, dst, len, NULL);
-
- return crypto_skcipher_encrypt(skreq);
-}
-
static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
size_t ignored, int flags)
{
@@ -97,13 +74,12 @@
struct sock *psk = ask->parent;
struct alg_sock *pask = alg_sk(psk);
struct af_alg_ctx *ctx = ask->private;
- struct aead_tfm *aeadc = pask->private;
- struct crypto_aead *tfm = aeadc->aead;
- struct crypto_skcipher *null_tfm = aeadc->null_tfm;
- unsigned int i, as = crypto_aead_authsize(tfm);
+ struct crypto_aead *tfm = pask->private;
+ unsigned int as = crypto_aead_authsize(tfm);
+ unsigned int ivsize = crypto_aead_ivsize(tfm);
struct af_alg_async_req *areq;
@ -136,7 +207,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
int err = 0;
size_t used = 0; /* [in] TX bufs to be en/decrypted */
size_t outlen = 0; /* [out] RX bufs produced by kernel */
@@ -155,10 +156,14 @@
@@ -155,10 +131,14 @@
/* Allocate cipher request for current operation. */
areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) +
@ -152,7 +223,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
/* convert iovecs of output buffers into RX SGL */
err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages);
if (err)
@@ -174,7 +179,7 @@
@@ -174,7 +154,7 @@
if (usedpages < outlen) {
size_t less = outlen - usedpages;
@ -161,7 +232,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
err = -EINVAL;
goto free;
}
@@ -182,23 +187,24 @@
@@ -182,23 +162,24 @@
outlen -= less;
}
@ -188,7 +259,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+ if (!areq->tsgl_entries)
+ areq->tsgl_entries = 1;
+ areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl),
+ areq->tsgl_entries),
+ areq->tsgl_entries),
+ GFP_KERNEL);
+ if (!areq->tsgl) {
+ err = -ENOMEM;
@ -200,7 +271,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
/*
* Copy of AAD from source to destination
@@ -207,82 +213,19 @@
@@ -207,82 +188,16 @@
* when user space uses an in-place cipher operation, the kernel
* will copy the data as it does not see whether such in-place operation
* is initiated.
@ -210,8 +281,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
- * is achieved by memory management specified as follows.
*/
- /* Use the RX SGL as source (and destination) for crypto op. */
+ /* Use the RX SGL as destination for crypto op. */
/* Use the RX SGL as source (and destination) for crypto op. */
rsgl_src = areq->first_rsgl.sgl.sg;
- if (ctx->enc) {
@ -277,10 +347,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
- /* no RX SGL present (e.g. authentication only) */
- rsgl_src = areq->tsgl;
- }
+ err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src,
+ ctx->aead_assoclen);
+ if (err)
+ goto free;
+ memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen);
/* Initialize the crypto operation */
- aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src,
@ -290,8 +357,90 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen);
aead_request_set_tfm(&areq->cra_u.aead_req, tfm);
@@ -536,7 +479,7 @@
struct crypto_aead *tfm = aeadc->aead;
@@ -383,7 +298,7 @@
int err = 0;
struct sock *psk;
struct alg_sock *pask;
- struct aead_tfm *tfm;
+ struct crypto_aead *tfm;
struct sock *sk = sock->sk;
struct alg_sock *ask = alg_sk(sk);
@@ -397,7 +312,7 @@
err = -ENOKEY;
lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
- if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY)
+ if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
goto unlock;
if (!pask->refcnt++)
@@ -476,54 +391,22 @@
static void *aead_bind(const char *name, u32 type, u32 mask)
{
- struct aead_tfm *tfm;
- struct crypto_aead *aead;
- struct crypto_skcipher *null_tfm;
-
- tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
- if (!tfm)
- return ERR_PTR(-ENOMEM);
-
- aead = crypto_alloc_aead(name, type, mask);
- if (IS_ERR(aead)) {
- kfree(tfm);
- return ERR_CAST(aead);
- }
-
- null_tfm = crypto_get_default_null_skcipher();
- if (IS_ERR(null_tfm)) {
- crypto_free_aead(aead);
- kfree(tfm);
- return ERR_CAST(null_tfm);
- }
-
- tfm->aead = aead;
- tfm->null_tfm = null_tfm;
-
- return tfm;
+ return crypto_alloc_aead(name, type, mask);
}
static void aead_release(void *private)
{
- struct aead_tfm *tfm = private;
-
- crypto_free_aead(tfm->aead);
- crypto_put_default_null_skcipher();
- kfree(tfm);
+ crypto_free_aead(private);
}
static int aead_setauthsize(void *private, unsigned int authsize)
{
- struct aead_tfm *tfm = private;
-
- return crypto_aead_setauthsize(tfm->aead, authsize);
+ return crypto_aead_setauthsize(private, authsize);
}
static int aead_setkey(void *private, const u8 *key, unsigned int keylen)
{
- struct aead_tfm *tfm = private;
-
- return crypto_aead_setkey(tfm->aead, key, keylen);
+ return crypto_aead_setkey(private, key, keylen);
}
static void aead_sock_destruct(struct sock *sk)
@@ -532,11 +415,10 @@
struct af_alg_ctx *ctx = ask->private;
struct sock *psk = ask->parent;
struct alg_sock *pask = alg_sk(psk);
- struct aead_tfm *aeadc = pask->private;
- struct crypto_aead *tfm = aeadc->aead;
+ struct crypto_aead *tfm = pask->private;
unsigned int ivlen = crypto_aead_ivsize(tfm);
- af_alg_pull_tsgl(sk, ctx->used, NULL, 0);
@ -299,6 +448,31 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
sock_kzfree_s(sk, ctx->iv, ivlen);
sock_kfree_s(sk, ctx, ctx->len);
af_alg_release_parent(sk);
@@ -546,10 +428,9 @@
{
struct af_alg_ctx *ctx;
struct alg_sock *ask = alg_sk(sk);
- struct aead_tfm *tfm = private;
- struct crypto_aead *aead = tfm->aead;
+ struct crypto_aead *tfm = private;
unsigned int len = sizeof(*ctx);
- unsigned int ivlen = crypto_aead_ivsize(aead);
+ unsigned int ivlen = crypto_aead_ivsize(tfm);
ctx = sock_kmalloc(sk, len, GFP_KERNEL);
if (!ctx)
@@ -582,9 +463,9 @@
static int aead_accept_parent(void *private, struct sock *sk)
{
- struct aead_tfm *tfm = private;
+ struct crypto_aead *tfm = private;
- if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY)
+ if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY)
return -ENOKEY;
return aead_accept_parent_nokey(private, sk);
--- a/crypto/algif_skcipher.c
+++ b/crypto/algif_skcipher.c
@@ -97,7 +97,7 @@
@ -328,9 +502,138 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm));
sock_kfree_s(sk, ctx, ctx->len);
af_alg_release_parent(sk);
--- a/crypto/authenc.c
+++ b/crypto/authenc.c
@@ -14,7 +14,6 @@
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
#include <crypto/authenc.h>
-#include <crypto/null.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
#include <linux/init.h>
@@ -33,7 +32,6 @@
struct crypto_authenc_ctx {
struct crypto_ahash *auth;
struct crypto_skcipher *enc;
- struct crypto_skcipher *null;
};
struct authenc_request_ctx {
@@ -189,21 +187,6 @@
authenc_request_complete(areq, err);
}
-static int crypto_authenc_copy_assoc(struct aead_request *req)
-{
- struct crypto_aead *authenc = crypto_aead_reqtfm(req);
- struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc);
- SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
-
- skcipher_request_set_tfm(skreq, ctx->null);
- skcipher_request_set_callback(skreq, aead_request_flags(req),
- NULL, NULL);
- skcipher_request_set_crypt(skreq, req->src, req->dst, req->assoclen,
- NULL);
-
- return crypto_skcipher_encrypt(skreq);
-}
-
static int crypto_authenc_encrypt(struct aead_request *req)
{
struct crypto_aead *authenc = crypto_aead_reqtfm(req);
@@ -222,10 +205,7 @@
dst = src;
if (req->src != req->dst) {
- err = crypto_authenc_copy_assoc(req);
- if (err)
- return err;
-
+ memcpy_sglist(req->dst, req->src, req->assoclen);
dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen);
}
@@ -326,7 +306,6 @@
struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm);
struct crypto_ahash *auth;
struct crypto_skcipher *enc;
- struct crypto_skcipher *null;
int err;
auth = crypto_spawn_ahash(&ictx->auth);
@@ -338,14 +317,8 @@
if (IS_ERR(enc))
goto err_free_ahash;
- null = crypto_get_default_null_skcipher();
- err = PTR_ERR(null);
- if (IS_ERR(null))
- goto err_free_skcipher;
-
ctx->auth = auth;
ctx->enc = enc;
- ctx->null = null;
crypto_aead_set_reqsize(
tfm,
@@ -359,8 +332,6 @@
return 0;
-err_free_skcipher:
- crypto_free_skcipher(enc);
err_free_ahash:
crypto_free_ahash(auth);
return err;
@@ -372,7 +343,6 @@
crypto_free_ahash(ctx->auth);
crypto_free_skcipher(ctx->enc);
- crypto_put_default_null_skcipher();
}
static void crypto_authenc_free(struct aead_instance *inst)
--- a/crypto/authencesn.c
+++ b/crypto/authencesn.c
@@ -206,6 +206,9 @@
@@ -17,7 +17,6 @@
#include <crypto/internal/hash.h>
#include <crypto/internal/skcipher.h>
#include <crypto/authenc.h>
-#include <crypto/null.h>
#include <crypto/scatterwalk.h>
#include <linux/err.h>
#include <linux/init.h>
@@ -36,7 +35,6 @@
unsigned int reqoff;
struct crypto_ahash *auth;
struct crypto_skcipher *enc;
- struct crypto_skcipher *null;
};
struct authenc_esn_request_ctx {
@@ -179,20 +177,6 @@
authenc_esn_request_complete(areq, err);
}
-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len)
-{
- struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
- struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn);
- SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null);
-
- skcipher_request_set_tfm(skreq, ctx->null);
- skcipher_request_set_callback(skreq, aead_request_flags(req),
- NULL, NULL);
- skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL);
-
- return crypto_skcipher_encrypt(skreq);
-}
-
static int crypto_authenc_esn_encrypt(struct aead_request *req)
{
struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req);
@@ -206,15 +190,15 @@
struct scatterlist *src, *dst;
int err;
@ -340,7 +643,17 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
sg_init_table(areq_ctx->src, 2);
src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen);
dst = src;
@@ -245,6 +248,7 @@
if (req->src != req->dst) {
- err = crypto_authenc_esn_copy(req, assoclen);
- if (err)
- return err;
-
+ memcpy_sglist(req->dst, req->src, assoclen);
sg_init_table(areq_ctx->dst, 2);
dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen);
}
@@ -245,6 +229,7 @@
crypto_ahash_alignmask(auth) + 1);
unsigned int cryptlen = req->cryptlen - authsize;
unsigned int assoclen = req->assoclen;
@ -348,7 +661,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
struct scatterlist *dst = req->dst;
u8 *ihash = ohash + crypto_ahash_digestsize(auth);
u32 tmp[2];
@@ -252,23 +256,29 @@
@@ -252,23 +237,29 @@
if (!authsize)
goto decrypt;
@ -384,7 +697,7 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
return crypto_skcipher_decrypt(skreq);
}
@@ -295,31 +305,36 @@
@@ -295,31 +286,36 @@
unsigned int assoclen = req->assoclen;
unsigned int cryptlen = req->cryptlen;
u8 *ihash = ohash + crypto_ahash_digestsize(auth);
@ -436,6 +749,46 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
ahash_request_set_tfm(ahreq, auth);
ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen);
@@ -341,7 +337,6 @@
struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm);
struct crypto_ahash *auth;
struct crypto_skcipher *enc;
- struct crypto_skcipher *null;
int err;
auth = crypto_spawn_ahash(&ictx->auth);
@@ -353,14 +348,8 @@
if (IS_ERR(enc))
goto err_free_ahash;
- null = crypto_get_default_null_skcipher();
- err = PTR_ERR(null);
- if (IS_ERR(null))
- goto err_free_skcipher;
-
ctx->auth = auth;
ctx->enc = enc;
- ctx->null = null;
ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth),
crypto_ahash_alignmask(auth) + 1);
@@ -377,8 +366,6 @@
return 0;
-err_free_skcipher:
- crypto_free_skcipher(enc);
err_free_ahash:
crypto_free_ahash(auth);
return err;
@@ -390,7 +377,6 @@
crypto_free_ahash(ctx->auth);
crypto_free_skcipher(ctx->enc);
- crypto_put_default_null_skcipher();
}
static void crypto_authenc_esn_free(struct aead_instance *inst)
--- a/crypto/scatterwalk.c
+++ b/crypto/scatterwalk.c
@@ -74,6 +74,104 @@
@ -543,6 +896,24 @@ Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2],
struct scatterlist *src,
unsigned int len)
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -240,7 +240,6 @@
select CRYPTO_BLKCIPHER
select CRYPTO_MANAGER
select CRYPTO_HASH
- select CRYPTO_NULL
help
Authenc: Combined mode wrapper for IPsec.
This is required for IPSec.
@@ -1863,7 +1862,6 @@
depends on NET
select CRYPTO_AEAD
select CRYPTO_BLKCIPHER
- select CRYPTO_NULL
select CRYPTO_USER_API
help
This option enables the user-spaces interface for AEAD
--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -231,9 +231,8 @@