Drop the 687.5.3/687.5.4 security-ahead patches superseded by the RHEL 687.6.1..687.10.1 backports (1100-1104), and add those backports (1100-1196) sourced from centos-stream-9 and upstream stable. Keep the AlmaLinux-ahead smb cifs.spnego fix (retained as 1197). Bump to 5.14.0-687.10.1.
43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
From 834916d950469022e266fb8667df2c17af47df94 Mon Sep 17 00:00:00 2001
|
|
From: Herbert Xu <herbert.xu@redhat.com>
|
|
Date: Fri, 1 May 2026 21:56:44 +0800
|
|
Subject: [PATCH] crypto: algif_aead - Fix minimum RX size check for decryption
|
|
|
|
JIRA: https://redhat.atlassian.net/browse/RHEL-172207
|
|
|
|
Upstream Status: 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
|
|
|
|
commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c
|
|
Author: Herbert Xu <herbert@gondor.apana.org.au>
|
|
Date: Sun Apr 12 13:32:21 2026 +0800
|
|
|
|
crypto: algif_aead - Fix minimum RX size check for decryption
|
|
|
|
The check for the minimum receive buffer size did not take the
|
|
tag size into account during decryption. Fix this by adding the
|
|
required extra length.
|
|
|
|
Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com
|
|
Reported-by: Daniel Pouzzner <douzzer@mega.nu>
|
|
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
|
|
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
Signed-off-by: Herbert Xu <herbert.xu@redhat.com>
|
|
|
|
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
|
|
index 4a6a0bb1ae3c..029f1bd72fd7 100644
|
|
--- a/crypto/algif_aead.c
|
|
+++ b/crypto/algif_aead.c
|
|
@@ -169,7 +169,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
|
|
if (usedpages < outlen) {
|
|
size_t less = outlen - usedpages;
|
|
|
|
- if (used < less) {
|
|
+ if (used < less + (ctx->enc ? 0 : as)) {
|
|
err = -EINVAL;
|
|
goto free;
|
|
}
|
|
--
|
|
2.50.1 (Apple Git-155)
|
|
|