82 lines
3.0 KiB
Diff
82 lines
3.0 KiB
Diff
From 773433ec58bc8fd361d7c27607f00d18869322ab Mon Sep 17 00:00:00 2001
|
|
From: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
|
Date: Tue, 28 Apr 2026 11:53:43 +0000
|
|
Subject: [PATCH] rxrpc: fix RESPONSE authenticator parser OOB read
|
|
|
|
JIRA: https://redhat.atlassian.net/browse/RHEL-171457
|
|
CVE: CVE-2026-31636
|
|
|
|
commit 3e3138007887504ee9206d0bfb5acb062c600025
|
|
Author: Keenan Dong <keenanat2000@gmail.com>
|
|
Date: Wed Apr 8 13:12:40 2026 +0100
|
|
|
|
rxrpc: fix RESPONSE authenticator parser OOB read
|
|
|
|
rxgk_verify_authenticator() copies auth_len bytes into a temporary
|
|
buffer and then passes p + auth_len as the parser limit to
|
|
rxgk_do_verify_authenticator(). Since p is a __be32 *, that inflates the
|
|
parser end pointer by a factor of four and lets malformed RESPONSE
|
|
authenticators read past the kmalloc() buffer.
|
|
|
|
Decoded from the original latest-net reproduction logs with
|
|
scripts/decode_stacktrace.sh:
|
|
|
|
BUG: KASAN: slab-out-of-bounds in rxgk_verify_response()
|
|
Call Trace:
|
|
dump_stack_lvl() [lib/dump_stack.c:123]
|
|
print_report() [mm/kasan/report.c:379 mm/kasan/report.c:482]
|
|
kasan_report() [mm/kasan/report.c:597]
|
|
rxgk_verify_response()
|
|
[net/rxrpc/rxgk.c:1103 net/rxrpc/rxgk.c:1167
|
|
net/rxrpc/rxgk.c:1274]
|
|
rxrpc_process_connection()
|
|
[net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364
|
|
net/rxrpc/conn_event.c:386]
|
|
process_one_work() [kernel/workqueue.c:3281]
|
|
worker_thread()
|
|
[kernel/workqueue.c:3353 kernel/workqueue.c:3440]
|
|
kthread() [kernel/kthread.c:436]
|
|
ret_from_fork() [arch/x86/kernel/process.c:164]
|
|
|
|
Allocated by task 54:
|
|
rxgk_verify_response()
|
|
[include/linux/slab.h:954 net/rxrpc/rxgk.c:1155
|
|
net/rxrpc/rxgk.c:1274]
|
|
rxrpc_process_connection()
|
|
[net/rxrpc/conn_event.c:266 net/rxrpc/conn_event.c:364
|
|
net/rxrpc/conn_event.c:386]
|
|
|
|
Convert the byte count to __be32 units before constructing the parser
|
|
limit.
|
|
|
|
Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
|
|
Signed-off-by: Keenan Dong <keenanat2000@gmail.com>
|
|
Signed-off-by: David Howells <dhowells@redhat.com>
|
|
cc: Marc Dionne <marc.dionne@auristor.com>
|
|
cc: Simon Horman <horms@kernel.org>
|
|
cc: Willy Tarreau <w@1wt.eu>
|
|
cc: linux-afs@lists.infradead.org
|
|
cc: stable@kernel.org
|
|
Link: https://patch.msgid.link/20260408121252.2249051-13-dhowells@redhat.com
|
|
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
|
|
|
|
Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com>
|
|
|
|
diff --git a/net/rxrpc/rxgk.c b/net/rxrpc/rxgk.c
|
|
index dce5a3d8a964..8d17b49e4f13 100644
|
|
--- a/net/rxrpc/rxgk.c
|
|
+++ b/net/rxrpc/rxgk.c
|
|
@@ -1164,7 +1164,8 @@ static int rxgk_verify_authenticator(struct rxrpc_connection *conn,
|
|
}
|
|
|
|
p = auth;
|
|
- ret = rxgk_do_verify_authenticator(conn, krb5, skb, p, p + auth_len);
|
|
+ ret = rxgk_do_verify_authenticator(conn, krb5, skb, p,
|
|
+ p + auth_len / sizeof(*p));
|
|
error:
|
|
kfree(auth);
|
|
return ret;
|
|
--
|
|
2.50.1 (Apple Git-155)
|
|
|