diff --git a/config.yaml b/config.yaml index 0fea6eb..642cc79 100644 --- a/config.yaml +++ b/config.yaml @@ -175,7 +175,7 @@ actions: - name: "Andrew Lukoshko" email: "alukoshko@almalinux.org" line: - - "CVE-2026-31431 (Copy Fail): backport crypto AEAD/algif fixes from stable-5.10.y" + - "CVE-2026-31431 (Copy Fail): backport crypto AEAD/algif fixes from stable-5.10.y (full set)" - "hpsa: bring back deprecated PCI ids #CFHack #CFHack2024" - "mptsas: bring back deprecated PCI ids #CFHack #CFHack2024" - "megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024" diff --git a/files/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch b/files/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch index 6d2fee3..7813088 100644 --- a/files/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch +++ b/files/1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch @@ -3,25 +3,33 @@ Subject: [PATCH] CVE-2026-31431 ("Copy Fail"): crypto AEAD/algif fixes for EL8 Backport addressing CVE-2026-31431 ("Copy Fail"), reported by Taeyang Lee <0wn@theori.io>. EL8 kernel is based on 4.18.0; the closest stable -branch with these fixes is linux-5.10.y. Upstream commits applied where -they fit, plus manual adjustments where 4.18 diverges from 5.10. - -Stable-5.10.y commits included: +branch with these fixes is linux-5.10.y. All 10 stable-5.10.y commits +are included, plus one prerequisite (committed 2026-01-30). df22c9a65e9a crypto: authencesn - reject too-short AAD (assoclen<8) [prereq, committed 2026-01-30] 534b7f208c60 crypto: scatterwalk - Backport memcpy_sglist() - 893d22e0135f crypto: algif_aead - Revert to operating out-of-place [adapted: el8 uses crypto_aead_copy_sgl(null_tfm,...) instead of memcpy_sglist] + 488f9c3ab90e crypto: algif_aead - use memcpy_sglist() instead of null skcipher + 893d22e0135f crypto: algif_aead - Revert to operating out-of-place 08ea39a556ec crypto: algif_aead - snapshot IV for async AEAD requests - 8c62f6185765 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption [last hunk adapted: el8 uses crypto_authenc_esn_copy()] + 274857bb1fbe crypto: authenc - use memcpy_sglist() instead of null skcipher + 8c62f6185765 crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption 88881da57e60 crypto: authencesn - Fix src offset when decrypting in-place fa48d3ea9cdb crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl 74a66fdb5282 crypto: algif_aead - Fix minimum RX size check for decryption -Refactor-only commits skipped (not security-relevant; el8 keeps the -existing null_tfm copy path): +Manual adjustments where 4.18 diverges from 5.10: +- 488f9c3ab90e: el8 uses crypto_skcipher (not crypto_sync_skcipher) and + has different aead_tfm/null_tfm structure layout; refactor adapted to + remove struct aead_tfm and the crypto_aead_copy_sgl helper. +- 893d22e0135f: af_alg.c docstring/signature updates adapted to el8's + older docstring style. +- 274857bb1fbe: el8 has crypto_authenc_esn_copy() and crypto_authenc_copy_assoc() + helpers (not memcpy_sglist); refactor adapted to remove these helpers. +- 8c62f6185765: hunk 4 manually re-applied to fit el8's pre-refactor code + shape, equivalent to the upstream post-refactor result. - 488f9c3ab90e crypto: algif_aead - use memcpy_sglist() instead of null skcipher - 274857bb1fbe crypto: authenc - use memcpy_sglist() instead of null skcipher +The (omitted) crypto: doc - fix kernel-doc notation patch (8b3843b1e3bc) +is purely cosmetic and is intentionally not included. Signed-off-by: Andrew Lukoshko --- @@ -122,11 +130,74 @@ Signed-off-by: Andrew Lukoshko sg[i].length -= plen; --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c -@@ -100,10 +100,11 @@ - struct aead_tfm *aeadc = pask->private; - struct crypto_aead *tfm = aeadc->aead; - struct crypto_skcipher *null_tfm = aeadc->null_tfm; +@@ -30,8 +30,6 @@ + #include + #include + #include +-#include +-#include + #include + #include + #include +@@ -40,19 +38,13 @@ + #include + #include + +-struct aead_tfm { +- struct crypto_aead *aead; +- struct crypto_skcipher *null_tfm; +-}; +- + static inline bool aead_sufficient_data(struct sock *sk) + { + struct alg_sock *ask = alg_sk(sk); + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); + struct af_alg_ctx *ctx = ask->private; +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; ++ struct crypto_aead *tfm = pask->private; + unsigned int as = crypto_aead_authsize(tfm); + + /* +@@ -68,27 +60,12 @@ + struct alg_sock *ask = alg_sk(sk); + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; ++ struct crypto_aead *tfm = pask->private; + unsigned int ivsize = crypto_aead_ivsize(tfm); + + return af_alg_sendmsg(sock, msg, size, ivsize); + } + +-static int crypto_aead_copy_sgl(struct crypto_skcipher *null_tfm, +- struct scatterlist *src, +- struct scatterlist *dst, unsigned int len) +-{ +- SKCIPHER_REQUEST_ON_STACK(skreq, null_tfm); +- +- skcipher_request_set_tfm(skreq, null_tfm); +- skcipher_request_set_callback(skreq, CRYPTO_TFM_REQ_MAY_BACKLOG, +- NULL, NULL); +- skcipher_request_set_crypt(skreq, src, dst, len, NULL); +- +- return crypto_skcipher_encrypt(skreq); +-} +- + static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, + size_t ignored, int flags) + { +@@ -97,13 +74,12 @@ + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); + struct af_alg_ctx *ctx = ask->private; +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; +- struct crypto_skcipher *null_tfm = aeadc->null_tfm; - unsigned int i, as = crypto_aead_authsize(tfm); ++ struct crypto_aead *tfm = pask->private; + unsigned int as = crypto_aead_authsize(tfm); + unsigned int ivsize = crypto_aead_ivsize(tfm); struct af_alg_async_req *areq; @@ -136,7 +207,7 @@ Signed-off-by: Andrew Lukoshko int err = 0; size_t used = 0; /* [in] TX bufs to be en/decrypted */ size_t outlen = 0; /* [out] RX bufs produced by kernel */ -@@ -155,10 +156,14 @@ +@@ -155,10 +131,14 @@ /* Allocate cipher request for current operation. */ areq = af_alg_alloc_areq(sk, sizeof(struct af_alg_async_req) + @@ -152,7 +223,7 @@ Signed-off-by: Andrew Lukoshko /* convert iovecs of output buffers into RX SGL */ err = af_alg_get_rsgl(sk, msg, flags, areq, outlen, &usedpages); if (err) -@@ -174,7 +179,7 @@ +@@ -174,7 +154,7 @@ if (usedpages < outlen) { size_t less = outlen - usedpages; @@ -161,7 +232,7 @@ Signed-off-by: Andrew Lukoshko err = -EINVAL; goto free; } -@@ -182,23 +187,24 @@ +@@ -182,23 +162,24 @@ outlen -= less; } @@ -188,7 +259,7 @@ Signed-off-by: Andrew Lukoshko + if (!areq->tsgl_entries) + areq->tsgl_entries = 1; + areq->tsgl = sock_kmalloc(sk, array_size(sizeof(*areq->tsgl), -+ areq->tsgl_entries), ++ areq->tsgl_entries), + GFP_KERNEL); + if (!areq->tsgl) { + err = -ENOMEM; @@ -200,7 +271,7 @@ Signed-off-by: Andrew Lukoshko /* * Copy of AAD from source to destination -@@ -207,82 +213,19 @@ +@@ -207,82 +188,16 @@ * when user space uses an in-place cipher operation, the kernel * will copy the data as it does not see whether such in-place operation * is initiated. @@ -210,8 +281,7 @@ Signed-off-by: Andrew Lukoshko - * is achieved by memory management specified as follows. */ -- /* Use the RX SGL as source (and destination) for crypto op. */ -+ /* Use the RX SGL as destination for crypto op. */ + /* Use the RX SGL as source (and destination) for crypto op. */ rsgl_src = areq->first_rsgl.sgl.sg; - if (ctx->enc) { @@ -277,10 +347,7 @@ Signed-off-by: Andrew Lukoshko - /* no RX SGL present (e.g. authentication only) */ - rsgl_src = areq->tsgl; - } -+ err = crypto_aead_copy_sgl(null_tfm, tsgl_src, rsgl_src, -+ ctx->aead_assoclen); -+ if (err) -+ goto free; ++ memcpy_sglist(rsgl_src, tsgl_src, ctx->aead_assoclen); /* Initialize the crypto operation */ - aead_request_set_crypt(&areq->cra_u.aead_req, rsgl_src, @@ -290,8 +357,90 @@ Signed-off-by: Andrew Lukoshko aead_request_set_ad(&areq->cra_u.aead_req, ctx->aead_assoclen); aead_request_set_tfm(&areq->cra_u.aead_req, tfm); -@@ -536,7 +479,7 @@ - struct crypto_aead *tfm = aeadc->aead; +@@ -383,7 +298,7 @@ + int err = 0; + struct sock *psk; + struct alg_sock *pask; +- struct aead_tfm *tfm; ++ struct crypto_aead *tfm; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + +@@ -397,7 +312,7 @@ + + err = -ENOKEY; + lock_sock_nested(psk, SINGLE_DEPTH_NESTING); +- if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY) ++ if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) + goto unlock; + + if (!pask->refcnt++) +@@ -476,54 +391,22 @@ + + static void *aead_bind(const char *name, u32 type, u32 mask) + { +- struct aead_tfm *tfm; +- struct crypto_aead *aead; +- struct crypto_skcipher *null_tfm; +- +- tfm = kzalloc(sizeof(*tfm), GFP_KERNEL); +- if (!tfm) +- return ERR_PTR(-ENOMEM); +- +- aead = crypto_alloc_aead(name, type, mask); +- if (IS_ERR(aead)) { +- kfree(tfm); +- return ERR_CAST(aead); +- } +- +- null_tfm = crypto_get_default_null_skcipher(); +- if (IS_ERR(null_tfm)) { +- crypto_free_aead(aead); +- kfree(tfm); +- return ERR_CAST(null_tfm); +- } +- +- tfm->aead = aead; +- tfm->null_tfm = null_tfm; +- +- return tfm; ++ return crypto_alloc_aead(name, type, mask); + } + + static void aead_release(void *private) + { +- struct aead_tfm *tfm = private; +- +- crypto_free_aead(tfm->aead); +- crypto_put_default_null_skcipher(); +- kfree(tfm); ++ crypto_free_aead(private); + } + + static int aead_setauthsize(void *private, unsigned int authsize) + { +- struct aead_tfm *tfm = private; +- +- return crypto_aead_setauthsize(tfm->aead, authsize); ++ return crypto_aead_setauthsize(private, authsize); + } + + static int aead_setkey(void *private, const u8 *key, unsigned int keylen) + { +- struct aead_tfm *tfm = private; +- +- return crypto_aead_setkey(tfm->aead, key, keylen); ++ return crypto_aead_setkey(private, key, keylen); + } + + static void aead_sock_destruct(struct sock *sk) +@@ -532,11 +415,10 @@ + struct af_alg_ctx *ctx = ask->private; + struct sock *psk = ask->parent; + struct alg_sock *pask = alg_sk(psk); +- struct aead_tfm *aeadc = pask->private; +- struct crypto_aead *tfm = aeadc->aead; ++ struct crypto_aead *tfm = pask->private; unsigned int ivlen = crypto_aead_ivsize(tfm); - af_alg_pull_tsgl(sk, ctx->used, NULL, 0); @@ -299,6 +448,31 @@ Signed-off-by: Andrew Lukoshko sock_kzfree_s(sk, ctx->iv, ivlen); sock_kfree_s(sk, ctx, ctx->len); af_alg_release_parent(sk); +@@ -546,10 +428,9 @@ + { + struct af_alg_ctx *ctx; + struct alg_sock *ask = alg_sk(sk); +- struct aead_tfm *tfm = private; +- struct crypto_aead *aead = tfm->aead; ++ struct crypto_aead *tfm = private; + unsigned int len = sizeof(*ctx); +- unsigned int ivlen = crypto_aead_ivsize(aead); ++ unsigned int ivlen = crypto_aead_ivsize(tfm); + + ctx = sock_kmalloc(sk, len, GFP_KERNEL); + if (!ctx) +@@ -582,9 +463,9 @@ + + static int aead_accept_parent(void *private, struct sock *sk) + { +- struct aead_tfm *tfm = private; ++ struct crypto_aead *tfm = private; + +- if (crypto_aead_get_flags(tfm->aead) & CRYPTO_TFM_NEED_KEY) ++ if (crypto_aead_get_flags(tfm) & CRYPTO_TFM_NEED_KEY) + return -ENOKEY; + + return aead_accept_parent_nokey(private, sk); --- a/crypto/algif_skcipher.c +++ b/crypto/algif_skcipher.c @@ -97,7 +97,7 @@ @@ -328,9 +502,138 @@ Signed-off-by: Andrew Lukoshko sock_kzfree_s(sk, ctx->iv, crypto_skcipher_ivsize(tfm)); sock_kfree_s(sk, ctx, ctx->len); af_alg_release_parent(sk); +--- a/crypto/authenc.c ++++ b/crypto/authenc.c +@@ -14,7 +14,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -33,7 +32,6 @@ + struct crypto_authenc_ctx { + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_skcipher *null; + }; + + struct authenc_request_ctx { +@@ -189,21 +187,6 @@ + authenc_request_complete(areq, err); + } + +-static int crypto_authenc_copy_assoc(struct aead_request *req) +-{ +- struct crypto_aead *authenc = crypto_aead_reqtfm(req); +- struct crypto_authenc_ctx *ctx = crypto_aead_ctx(authenc); +- SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null); +- +- skcipher_request_set_tfm(skreq, ctx->null); +- skcipher_request_set_callback(skreq, aead_request_flags(req), +- NULL, NULL); +- skcipher_request_set_crypt(skreq, req->src, req->dst, req->assoclen, +- NULL); +- +- return crypto_skcipher_encrypt(skreq); +-} +- + static int crypto_authenc_encrypt(struct aead_request *req) + { + struct crypto_aead *authenc = crypto_aead_reqtfm(req); +@@ -222,10 +205,7 @@ + dst = src; + + if (req->src != req->dst) { +- err = crypto_authenc_copy_assoc(req); +- if (err) +- return err; +- ++ memcpy_sglist(req->dst, req->src, req->assoclen); + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, req->assoclen); + } + +@@ -326,7 +306,6 @@ + struct crypto_authenc_ctx *ctx = crypto_aead_ctx(tfm); + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_skcipher *null; + int err; + + auth = crypto_spawn_ahash(&ictx->auth); +@@ -338,14 +317,8 @@ + if (IS_ERR(enc)) + goto err_free_ahash; + +- null = crypto_get_default_null_skcipher(); +- err = PTR_ERR(null); +- if (IS_ERR(null)) +- goto err_free_skcipher; +- + ctx->auth = auth; + ctx->enc = enc; +- ctx->null = null; + + crypto_aead_set_reqsize( + tfm, +@@ -359,8 +332,6 @@ + + return 0; + +-err_free_skcipher: +- crypto_free_skcipher(enc); + err_free_ahash: + crypto_free_ahash(auth); + return err; +@@ -372,7 +343,6 @@ + + crypto_free_ahash(ctx->auth); + crypto_free_skcipher(ctx->enc); +- crypto_put_default_null_skcipher(); + } + + static void crypto_authenc_free(struct aead_instance *inst) --- a/crypto/authencesn.c +++ b/crypto/authencesn.c -@@ -206,6 +206,9 @@ +@@ -17,7 +17,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -36,7 +35,6 @@ + unsigned int reqoff; + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_skcipher *null; + }; + + struct authenc_esn_request_ctx { +@@ -179,20 +177,6 @@ + authenc_esn_request_complete(areq, err); + } + +-static int crypto_authenc_esn_copy(struct aead_request *req, unsigned int len) +-{ +- struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); +- struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(authenc_esn); +- SKCIPHER_REQUEST_ON_STACK(skreq, ctx->null); +- +- skcipher_request_set_tfm(skreq, ctx->null); +- skcipher_request_set_callback(skreq, aead_request_flags(req), +- NULL, NULL); +- skcipher_request_set_crypt(skreq, req->src, req->dst, len, NULL); +- +- return crypto_skcipher_encrypt(skreq); +-} +- + static int crypto_authenc_esn_encrypt(struct aead_request *req) + { + struct crypto_aead *authenc_esn = crypto_aead_reqtfm(req); +@@ -206,15 +190,15 @@ struct scatterlist *src, *dst; int err; @@ -340,7 +643,17 @@ Signed-off-by: Andrew Lukoshko sg_init_table(areq_ctx->src, 2); src = scatterwalk_ffwd(areq_ctx->src, req->src, assoclen); dst = src; -@@ -245,6 +248,7 @@ + + if (req->src != req->dst) { +- err = crypto_authenc_esn_copy(req, assoclen); +- if (err) +- return err; +- ++ memcpy_sglist(req->dst, req->src, assoclen); + sg_init_table(areq_ctx->dst, 2); + dst = scatterwalk_ffwd(areq_ctx->dst, req->dst, assoclen); + } +@@ -245,6 +229,7 @@ crypto_ahash_alignmask(auth) + 1); unsigned int cryptlen = req->cryptlen - authsize; unsigned int assoclen = req->assoclen; @@ -348,7 +661,7 @@ Signed-off-by: Andrew Lukoshko struct scatterlist *dst = req->dst; u8 *ihash = ohash + crypto_ahash_digestsize(auth); u32 tmp[2]; -@@ -252,23 +256,29 @@ +@@ -252,23 +237,29 @@ if (!authsize) goto decrypt; @@ -384,7 +697,7 @@ Signed-off-by: Andrew Lukoshko return crypto_skcipher_decrypt(skreq); } -@@ -295,31 +305,36 @@ +@@ -295,31 +286,36 @@ unsigned int assoclen = req->assoclen; unsigned int cryptlen = req->cryptlen; u8 *ihash = ohash + crypto_ahash_digestsize(auth); @@ -436,6 +749,46 @@ Signed-off-by: Andrew Lukoshko ahash_request_set_tfm(ahreq, auth); ahash_request_set_crypt(ahreq, dst, ohash, assoclen + cryptlen); +@@ -341,7 +337,6 @@ + struct crypto_authenc_esn_ctx *ctx = crypto_aead_ctx(tfm); + struct crypto_ahash *auth; + struct crypto_skcipher *enc; +- struct crypto_skcipher *null; + int err; + + auth = crypto_spawn_ahash(&ictx->auth); +@@ -353,14 +348,8 @@ + if (IS_ERR(enc)) + goto err_free_ahash; + +- null = crypto_get_default_null_skcipher(); +- err = PTR_ERR(null); +- if (IS_ERR(null)) +- goto err_free_skcipher; +- + ctx->auth = auth; + ctx->enc = enc; +- ctx->null = null; + + ctx->reqoff = ALIGN(2 * crypto_ahash_digestsize(auth), + crypto_ahash_alignmask(auth) + 1); +@@ -377,8 +366,6 @@ + + return 0; + +-err_free_skcipher: +- crypto_free_skcipher(enc); + err_free_ahash: + crypto_free_ahash(auth); + return err; +@@ -390,7 +377,6 @@ + + crypto_free_ahash(ctx->auth); + crypto_free_skcipher(ctx->enc); +- crypto_put_default_null_skcipher(); + } + + static void crypto_authenc_esn_free(struct aead_instance *inst) --- a/crypto/scatterwalk.c +++ b/crypto/scatterwalk.c @@ -74,6 +74,104 @@ @@ -543,6 +896,24 @@ Signed-off-by: Andrew Lukoshko struct scatterlist *scatterwalk_ffwd(struct scatterlist dst[2], struct scatterlist *src, unsigned int len) +--- a/crypto/Kconfig ++++ b/crypto/Kconfig +@@ -240,7 +240,6 @@ + select CRYPTO_BLKCIPHER + select CRYPTO_MANAGER + select CRYPTO_HASH +- select CRYPTO_NULL + help + Authenc: Combined mode wrapper for IPsec. + This is required for IPSec. +@@ -1863,7 +1862,6 @@ + depends on NET + select CRYPTO_AEAD + select CRYPTO_BLKCIPHER +- select CRYPTO_NULL + select CRYPTO_USER_API + help + This option enables the user-spaces interface for AEAD --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -231,9 +231,8 @@