Andrew Lukoshko
b3393f484c
Drop the 211.7.x security-ahead patches superseded by the RHEL 211.8.1..211.16.1 backports (1100-1104), add those backports (1106-1161) from centos-stream-10 and upstream linux-6.12.y. Keep the smb cifs.spnego ahead-fix (1105). Bump to 211.16.1.
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From 51c927390f506ab91a571fff14994406e8a43fb4 Mon Sep 17 00:00:00 2001
|
|
From: Herbert Xu <herbert.xu@redhat.com>
|
|
Date: Fri, 1 May 2026 21:45:28 +0800
|
|
Subject: [PATCH] crypto: algif_aead - Fix minimum RX size check for decryption
|
|
|
|
JIRA: https://redhat.atlassian.net/browse/RHEL-172216
|
|
|
|
Upstream Status: 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
|
|
|
|
commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
|
|
Author: Herbert Xu <herbert@gondor.apana.org.au>
|
|
Date: Sun Apr 12 13:32:21 2026 +0800
|
|
|
|
crypto: algif_aead - Fix minimum RX size check for decryption
|
|
|
|
The check for the minimum receive buffer size did not take the
|
|
tag size into account during decryption. Fix this by adding the
|
|
required extra length.
|
|
|
|
Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
|
|
Reported-by: Daniel Pouzzner <douzzer@mega.nu>
|
|
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
|
|
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
|
|
|
|
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
|
|
index dff71bd753a7..93a7cb4f269c 100644
|
|
--- a/crypto/algif_aead.c
|
|
+++ b/crypto/algif_aead.c
|
|
@@ -169,7 +169,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
|
|
if (usedpages < outlen) {
|
|
size_t less = outlen - usedpages;
|
|
|
|
- if (used < less) {
|
|
+ if (used < less + (ctx->enc ? 0 : as)) {
|
|
err = -EINVAL;
|
|
goto free;
|
|
}
|
|
--
|
|
2.50.1 (Apple Git-155)
|
|
|