{"id":2231273,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2231273/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777552173.git.massimiliano.pellizzer@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.2/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777552173.git.massimiliano.pellizzer@canonical.com>","list_archive_url":null,"date":"2026-04-30T12:30:37","name":"[SRU,J,9/9] crypto: algif_aead - Fix minimum RX size check for decryption","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d65a9fa861a431b0ec42301a0373de6fbebdc496","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/1.2/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777552173.git.massimiliano.pellizzer@canonical.com/mbox/","series":[{"id":502300,"url":"http://patchwork.ozlabs.org/api/1.2/series/502300/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502300","date":"2026-04-30T12:30:28","name":"CVE-2026-31431","version":1,"mbox":"http://patchwork.ozlabs.org/series/502300/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231273/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231273/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=oIkWnRTD;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5tpb2my4z23gq\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 30 Apr 2026 22:32:07 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wIQYh-0006m1-EO; Thu, 30 Apr 2026 12:31:59 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1wIQYO-0005Kt-2i\n for kernel-team@lists.ubuntu.com; Thu, 30 Apr 2026 12:31:40 +0000","from mail-wm1-f69.google.com (mail-wm1-f69.google.com\n [209.85.128.69])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 710223F9CB\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 12:31:39 +0000 (UTC)","by mail-wm1-f69.google.com with SMTP id\n 5b1f17b1804b1-488c0fcc6deso6956325e9.2\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 05:31:39 -0700 (PDT)","from tuxedo-infinitybook.ts.net\n (net-93-71-66-38.cust.vodafonedsl.it. [93.71.66.38])\n by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48a81ed6bafsm103695005e9.2.2026.04.30.05.31.37\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 05:31:37 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777552299;\n bh=HD+bHiViIb7t9FdvzLmbVHPqIsPT1bsGbDILxeajVtY=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=oIkWnRTDOf0xk+rGFCWzBUV0YW4G9+eRbCYQIWswCzYPIkmA7S/8o6xivqS+aRojj\n f7fxXMYrLLmd1hm9YGKfwvYjl055Vzu919WvuRqSQzLv3Am9cbWa/Uky6qfxOInncs\n 8oE4fXFC0SqXy+MJ89yKHzE70rBfq85tVRMESiaBb5aeXpGlfr40klT9s5us4Qdj31\n ZAPsRkIf/FgAXz6XVvl21K831kFJ6nq0W+dBE5jSEfBvQJwOlQcZsrgGgZxOCZIhd1\n sbMG1oFJ6C8oOn8EMoaxudchHlQ09M30aeM2zcMeJqC6hr7DuNW8CqjL2Oh1VMg69M\n jreYqA95MWlNIYw6nhPEV5B3MEJ4sqGBRSjH0YHi9GLisbSdPq7l3r/KlfQQDGiBHp\n vcfgl+wDykQxrTuRwTGdzqQYcAjcwosBIQx/5lMWzTyZSMDfCnk8m5pH9O38dz5QqG\n bFk8FEOPPcaxT3o2k35USjsgBX+cQo29yuSHBcFX4wPenhbsIl28+lQlREKSUfu+hB\n nJhDCDXlvKJoenwoVy7yf2JR7XF90RO2/fsZN4/E1D8AQja5iUGwUZpKzOEXIt17n3\n 2tIdU6518JU5fsXUyplpIq76qMvnKf4pO0J8jIVw//J5oxa7GNa7lfUWLgr0+IFSGU\n 0YFbNOC7fx/id6eqLnSStUDA=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777552299; x=1778157099;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=HD+bHiViIb7t9FdvzLmbVHPqIsPT1bsGbDILxeajVtY=;\n b=LBH7DSiX2ImaNActYGVSGXuehWOqhPZezbkFS2Xp7sK8amqU+nTyOg2QYIavPFju/x\n AHe+B9e0dGRFO3dSWs+B/hhUhr5xvF8DB+Vuqupp/6LkXoKXN+pS2/q7ZaGrOkHj92J2\n SXFjE43FZxG5V7BYFTEQBEL5p1z3d6oRVs/0BgTsZERGKGGw2dsaX0fdOzwALC//VyW6\n YG+MLxvLe8BhvUO2GYBrUt7WD8S5/K5HovWi0GgQhCJzNUZk0h/IChfSph0IT6d3ZN+Z\n npco1I2w4KzxgMtqdgP6iyrEh3xftWjC10x6sgCu/IozGf6lyO93aiWJ9P7hPDtQrXou\n XMPQ==","X-Gm-Message-State":"AOJu0YzP2MgcC9bc+ymffM3T/ITzmoFPp2wR2k+GbBCQBQ0ySWaoe6mL\n Q94w1rq+qsWbg3Knt14RFv7vxNEtvniMhzdWSmgiS9tQmrtofMBKd7NK2PAN/AasVC+T+QLtNAx\n ah6cnwJeqQ8VN4wqWgMV3yoMRcFQ3BB83NSYL5EgDLydd0MqGX3HYODM4jk0j25GLm5RdK+/2RV\n QFVFyIIQzNHa884A==","X-Gm-Gg":"AeBDietdDofu+IzOLsY++wAgtfijMGrXorFPi28nKEKtk/IHhPolodIU1q44P32eaiJ\n jRlE3EIdJUjwcEyxj1y6Gkqoiu6s3xCW2+6wIkN1ul6acGrMWHT3s/qBVbHwhsD89Z58aTV9Oi7\n zM4nD1X5f1W6qCx4A0lDINwp3cUJRRLul5ypPH2JHuqnOMrWO3yrJze9C5mGynz5aZvqXDkGZ6L\n RwBAoDenvfwGo2vOgSAvdDUHdXPPl1eRwIrOrvz8DRs6owx0DabcAZq2r+T3L6AKFybvJDG9u/D\n EtjDuzfAPVLMX7vluddSRoxBJYRLC3PvKq1fFKuuJXFXvuX+2JrB8yyg3uorOPcqF4PfW/rj4Ta\n 3bwLrUHZA7vK9vo1N78optShmfaOZCC/UfK2iHJ8T2uAAod5s3AmlJQkMDf3eBlkvY4TGYpnBTO\n n+BFPaue7rG/P+9eOEb9vfSErTdD+9gqsj9061FkFk7AKDh1dsEBg0H7GAgOKD+9BHGKasQ0G2e\n UqfT5JdrdhYcGrQ36H6uaA=","X-Received":["by 2002:a05:600c:1e0f:b0:48a:5333:811e with SMTP id\n 5b1f17b1804b1-48a84451f8emr45836185e9.15.1777552298639;\n Thu, 30 Apr 2026 05:31:38 -0700 (PDT)","by 2002:a05:600c:1e0f:b0:48a:5333:811e with SMTP id\n 5b1f17b1804b1-48a84451f8emr45835745e9.15.1777552298094;\n Thu, 30 Apr 2026 05:31:38 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH 9/9] crypto: algif_aead - Fix minimum RX size check\n for decryption","Date":"Thu, 30 Apr 2026 14:30:37 +0200","Message-ID":"\n <e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777552173.git.massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<cover.1777552173.git.massimiliano.pellizzer@canonical.com>","References":"\n <177754965576.503496.12142658280614619991@tuxedo-infinitybook.public>\n <cover.1777552173.git.massimiliano.pellizzer@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Herbert Xu <herbert@gondor.apana.org.au>\n\ncommit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c upstream.\n\nThe check for the minimum receive buffer size did not take the\ntag size into account during decryption.  Fix this by adding the\nrequired extra length.\n\nReported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com\nReported-by: Daniel Pouzzner <douzzer@mega.nu>\nFixes: d887c52d6ae4 (\"crypto: algif_aead - overhaul memory management\")\nSigned-off-by: Herbert Xu <herbert@gondor.apana.org.au>\nSigned-off-by: Eric Biggers <ebiggers@kernel.org>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n(cherry picked from commit fd427dd84f224309afbcc2cb67c7bb770a01265c linux-5.15.y)\nCVE-2026-31431\nSigned-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>\n---\n crypto/algif_aead.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c\nindex 24e77f4968a61..4a285994d106c 100644\n--- a/crypto/algif_aead.c\n+++ b/crypto/algif_aead.c\n@@ -150,7 +150,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,\n \tif (usedpages < outlen) {\n \t\tsize_t less = outlen - usedpages;\n \n-\t\tif (used < less) {\n+\t\tif (used < less + (ctx->enc ? 0 : as)) {\n \t\t\terr = -EINVAL;\n \t\t\tgoto free;\n \t\t}\n","prefixes":["SRU","J","9/9"]}