kernel/SOURCES/1186-crypto-algif-aead-fix-minimum-rx-size-check-for-decryption.patch
Andrew Lukoshko 5c58271075 Recreate RHEL 5.14.0-687.10.1 from CS9/upstream backports
Drop the 687.5.3/687.5.4 security-ahead patches superseded by the RHEL
687.6.1..687.10.1 backports (1100-1104), and add those backports (1100-1196)
sourced from centos-stream-9 and upstream stable. Keep the AlmaLinux-ahead
smb cifs.spnego fix (retained as 1197). Bump to 5.14.0-687.10.1.
2026-06-06 22:36:55 +00:00

43 lines
1.4 KiB
Diff

From 834916d950469022e266fb8667df2c17af47df94 Mon Sep 17 00:00:00 2001
From: Herbert Xu <herbert.xu@redhat.com>
Date: Fri, 1 May 2026 21:56:44 +0800
Subject: [PATCH] crypto: algif_aead - Fix minimum RX size check for decryption
JIRA: https://redhat.atlassian.net/browse/RHEL-172207
Upstream Status: 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
Author: Herbert Xu <herbert@gondor.apana.org.au>
Date: Sun Apr 12 13:32:21 2026 +0800
crypto: algif_aead - Fix minimum RX size check for decryption
The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length.
Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
Reported-by: Daniel Pouzzner <douzzer@mega.nu>
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index 4a6a0bb1ae3c..029f1bd72fd7 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -169,7 +169,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
if (usedpages < outlen) {
size_t less = outlen - usedpages;
- if (used < less) {
+ if (used < less + (ctx->enc ? 0 : as)) {
err = -EINVAL;
goto free;
}
--
2.50.1 (Apple Git-155)