{"id":2231526,"url":"http://patchwork.ozlabs.org/api/patches/2231526/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/f3f124545c78c5541e86eb6c1abfd73539a9a895.1777576834.git.massimiliano.pellizzer@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<f3f124545c78c5541e86eb6c1abfd73539a9a895.1777576834.git.massimiliano.pellizzer@canonical.com>","list_archive_url":null,"date":"2026-04-30T19:28:20","name":"[SRU,N,v2,9/9] crypto: algif_aead - Fix minimum RX size check for decryption","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d65a9fa861a431b0ec42301a0373de6fbebdc496","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/f3f124545c78c5541e86eb6c1abfd73539a9a895.1777576834.git.massimiliano.pellizzer@canonical.com/mbox/","series":[{"id":502367,"url":"http://patchwork.ozlabs.org/api/series/502367/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502367","date":"2026-04-30T19:28:11","name":"CVE-2026-31431","version":2,"mbox":"http://patchwork.ozlabs.org/series/502367/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231526/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231526/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=XQ3JWloj;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g644Q5Hsnz1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 05:29:42 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wIX4o-0002e7-KO; Thu, 30 Apr 2026 19:29:34 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1wIX4i-0002Dh-Md\n for kernel-team@lists.ubuntu.com; Thu, 30 Apr 2026 19:29:28 +0000","from mail-wm1-f72.google.com (mail-wm1-f72.google.com\n [209.85.128.72])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 945163F637\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 19:29:28 +0000 (UTC)","by mail-wm1-f72.google.com with SMTP id\n 5b1f17b1804b1-48a55ecc32cso11140195e9.1\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 12:29:28 -0700 (PDT)","from tuxedo-infinitybook (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-448e74324a5sm8133217f8f.12.2026.04.30.12.29.26\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 12:29:27 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777577368;\n bh=UQLMznSWD/b/EFzbvoT+362yv+LBQdwqb1qHLgqECgs=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=XQ3JWlojm9z/OOUfynpTWq1UAdOlvb3sPWxaiFVMosbAZju8ExIQLQeMKK3r7ORUj\n 1t89DglLpwQPDgVkkbC1+NkVhh4AhkGdgfK2YD9JpvNg/yN31qpFuu9vmw1WD7d8E8\n kkryFkPQi9fjEDAgImv2wfS5vUUTRW/Ha21dcn6Hg3598RKK+GYmdvdfoL8AC74JMz\n UPC4pALgQ5JOAOb64y1AkTiTcQ2jf5omWNj44ToZ7qCLazQBxZEsL2Vcdfb/Wbjw7I\n yVysOpGfEPci/RsE5kDDc6zJdZY1B4wan92st/qDM3n7vZgvM824dXXQIf1QVRD/O+\n UvrvQhYn7h+2I/NI9JAR64RwQeuU8roXB0qoKaMpbrBkCF7wlvJi0T0WPRH7XYnzWN\n KDVQ3YgoDXaek2lzA00d3Jul7K0HJCZ59BOh6KLDsSMTTQBzFcfJDUf+VMF/aKNbbJ\n fAHqs8UiYPxfnxCBjFs6blAtkzi411hn7oQEDebDjrbvwhl7hGNmRS51Hj/bByK8RX\n Xe7CnvbG9wpTlqYMInA+L0107E95+xCKgdNw5d5eZ3GBm++7f70onIQtP2lXe2K2q1\n 0ef/+Rizp1Dl4co1w7MbC4bGbumEryBukUPvSewhxr6YutDM1td8Wj3HbWJH37iElJ\n CeGsvNfhBvkuPtY2Iedfe8Co=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777577368; x=1778182168;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=UQLMznSWD/b/EFzbvoT+362yv+LBQdwqb1qHLgqECgs=;\n b=hlXpivDJBKaUlf+JXvvWGsLEso2qaPY8IP7Sv1sViafQmEe2Q9lGjGv/G7ldpO4fdd\n LJWEkg3IRBZ+KhKX74zNIEk6avIWzycsq3quJtKVTBuQopHoUHDW8l1uY7MyIzsLX4NF\n dZNypnK66rRqzmnjdTx13Un32mi1LnqB0Srr6dSKN7Q9cPpSBIehOreF4lYJe9b8cxjj\n dNSI1Pl98+nZlBq3Qmh1eVLEEcy/Zi+LxjqcQdl7s1zxkE5oU9pXxSNPAoSP/ySHiyJU\n t8XAsbPwvfp4Jxlr2yMIo6LLfzDS5zqSeK25ZOud+bp+m/3JtAjB8sSD6Ia0aBfewTk9\n PZ1Q==","X-Gm-Message-State":"AOJu0YzxGxFl33+XfiVSm0a8FALob3qOG4l2r64TzWsJ3aSEQnKwAw1q\n S3zBsFjobwoD8UnKxdusoMxcBBT5w27uAx4rJzGHV0bKYKDx2x84BGfwzbVzJBc1dYKJ/28fHNO\n k3175tjZGK5pf8z9Feo6pftWc1K1PaIPjcsmNh1FbGL3zP1nVSo4xFhYfVzWH+IKxrUpdFxkCuB\n 8Ly7y2V7RXcK5QWg==","X-Gm-Gg":"AeBDiescMGLFBDwqWcksHvHwJqdZbAeokPpV81pZZvMcAVr1SB53hXZSfq+GHMYnLow\n yjN5Q80RHtkSWalZ5MQkcaz5GAhgwIXHnDK7v8dZ70TQOYA5pfVblm82kUCO2F2eqE272RQvkEZ\n 0vOh+78sGJUBFv7/hrLqrJ9M52rLpdhxfrNoI4JigPwzeCR1o1iE7bZWbHX+Dp+zPxoeCPW2Bhh\n Xtoq2kr1QeFRp+e2jnwyh+kFm2u22l6s49MULzaZusV5ef9uyN77Rnb/DrE2Nps5kFJ5vpm9OB0\n YGbBshZGUBYVefJCIB8fQ9/wa8A2cE48U0o6QufEUEB7oT0kPID06bdPJnC8OCnGHy9SolNgrW2\n oP9tWpxLWX2b2InDSTEbsX/YynPGSaoq0DT1NKY30PEq8/pyB7LGuHgARsvXlJyI0gbjjjC+lrW\n 9uyC32SoHN3zFcvc9Gqqr+ClzStPKVEG+BfelKUfM+WkE/yGejQlx/iXmFODc80cvtROu/porPy\n /TGZRQTahg+wA==","X-Received":["by 2002:a05:600c:8593:b0:488:af48:af11 with SMTP id\n 5b1f17b1804b1-48a83d66d72mr52623275e9.1.1777577367861;\n Thu, 30 Apr 2026 12:29:27 -0700 (PDT)","by 2002:a05:600c:8593:b0:488:af48:af11 with SMTP id\n 5b1f17b1804b1-48a83d66d72mr52623045e9.1.1777577367494;\n Thu, 30 Apr 2026 12:29:27 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][N][PATCH v2 9/9] crypto: algif_aead - Fix minimum RX size check\n for decryption","Date":"Thu, 30 Apr 2026 21:28:20 +0200","Message-ID":"\n <f3f124545c78c5541e86eb6c1abfd73539a9a895.1777576834.git.massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<cover.1777576834.git.massimiliano.pellizzer@canonical.com>","References":"\n <177757626672.818044.11792928639290212185@tuxedo-infinitybook.public>\n <cover.1777576834.git.massimiliano.pellizzer@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Herbert Xu <herbert@gondor.apana.org.au>\n\n[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]\n\nThe check for the minimum receive buffer size did not take the\ntag size into account during decryption.  Fix this by adding the\nrequired extra length.\n\nReported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com\nReported-by: Daniel Pouzzner <douzzer@mega.nu>\nFixes: d887c52d6ae4 (\"crypto: algif_aead - overhaul memory management\")\nSigned-off-by: Herbert Xu <herbert@gondor.apana.org.au>\nSigned-off-by: Sasha Levin <sashal@kernel.org>\n(cherry picked from commit af2fa2fbbced26129813274b8b3f7705f280e174 linux-6.12.y)\nCVE-2026-31431\nSigned-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>\n---\n crypto/algif_aead.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c\nindex c54693d18832..cb651ab58d62 100644\n--- a/crypto/algif_aead.c\n+++ b/crypto/algif_aead.c\n@@ -150,7 +150,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,\n \tif (usedpages < outlen) {\n \t\tsize_t less = outlen - usedpages;\n \n-\t\tif (used < less) {\n+\t\tif (used < less + (ctx->enc ? 0 : as)) {\n \t\t\terr = -EINVAL;\n \t\t\tgoto free;\n \t\t}\n","prefixes":["SRU","N","v2","9/9"]}