{"id":2231537,"url":"http://patchwork.ozlabs.org/api/patches/2231537/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777577013.git.massimiliano.pellizzer@canonical.com/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777577013.git.massimiliano.pellizzer@canonical.com>","list_archive_url":null,"date":"2026-04-30T19:28:30","name":"[SRU,J,v2,9/9] crypto: algif_aead - Fix minimum RX size check for decryption","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"d65a9fa861a431b0ec42301a0373de6fbebdc496","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/patch/e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777577013.git.massimiliano.pellizzer@canonical.com/mbox/","series":[{"id":502368,"url":"http://patchwork.ozlabs.org/api/series/502368/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/list/?series=502368","date":"2026-04-30T19:28:21","name":"CVE-2026-31431","version":2,"mbox":"http://patchwork.ozlabs.org/series/502368/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2231537/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2231537/checks/","tags":{},"related":[],"headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=L7w7rxYP;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g644p6xN7z1yHv\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 01 May 2026 05:30:02 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wIX5A-0004b1-Ow; Thu, 30 Apr 2026 19:29:56 +0000","from smtp-relay-internal-1.internal ([10.131.114.114]\n helo=smtp-relay-internal-1.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1wIX4q-0002lf-OX\n for kernel-team@lists.ubuntu.com; Thu, 30 Apr 2026 19:29:36 +0000","from mail-wr1-f72.google.com (mail-wr1-f72.google.com\n [209.85.221.72])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 232573F637\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 19:29:36 +0000 (UTC)","by mail-wr1-f72.google.com with SMTP id\n ffacd0b85a97d-43d103e46c3so788265f8f.3\n for <kernel-team@lists.ubuntu.com>; Thu, 30 Apr 2026 12:29:36 -0700 (PDT)","from tuxedo-infinitybook (net-93-71-66-38.cust.vodafonedsl.it.\n [93.71.66.38]) by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-448e74324a5sm8133217f8f.12.2026.04.30.12.29.34\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 30 Apr 2026 12:29:34 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1777577376;\n bh=HD+bHiViIb7t9FdvzLmbVHPqIsPT1bsGbDILxeajVtY=;\n h=From:To:Subject:Date:Message-ID:In-Reply-To:References:\n MIME-Version;\n b=L7w7rxYP2QvHKaqrCFXOC4Z7ouH4BLFo/Dd9ryuGawwuTXCLTpGH9eXjkcWDhxpf+\n xIvf71pEPQA1avIwWsQRt2xkdazVtSelLsXBS04+qLcHYGokPVCf+C/SyBGZQnXZnA\n kBsPXLxMnoiH/+k9cu3g6rcsG7anQdTRYKChuYFeTKtMl7g3HEtGAAhGnZtImXx7nd\n ikemRveu5SIaGhq88k5o9hZpvmKgD2XrmGCbWcg0cpjgsb8yw7+kv9TQdann+SQOFU\n FLVhiROEPlvnLZBhVYMl47YZ89rv1JItdvYRQHbphGFu1gGiTkJei9OTucqg9t2V9M\n zPD7X9fM9hQyifn6LUdmjUv/2ZgiOhB0OryAdpfesKcw+MRWoMd5gBCO40C4xJavW5\n 4PYU1nO9uuE6t+WP5fCC2t8i8368S3BHTIt0VWKH03apwxclAak6dit85UD2jRn6Vo\n UBNQUcibCCyYhowhgB8mdO9SZkH1bs6XnXTEPXVCHKLEHpMvNAbRytw9qClTYa5hkX\n Wxhusp8AMYVFfe54IYunoDu0WxjOVGqp5+MPCcNtTV8MmTbwqQ/sNJEmv64zsPmQIK\n Q8UASAFP6uvEjTZaQgRcqk8niZZZvgL3190B9xdBZWZ1r2qZ3EezyxMI+zoEuPdh//\n kqXOXGL9vhJAebgtZ/h6gpeY=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1777577375; x=1778182175;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:to:from:x-gm-gg:x-gm-message-state:from:to\n :cc:subject:date:message-id:reply-to;\n bh=HD+bHiViIb7t9FdvzLmbVHPqIsPT1bsGbDILxeajVtY=;\n b=dsqYJtSSTAvWBH7oKoCkFQIc4k0yeymhMB0ilk55doTKWoXrtY8WRWOyJSYlEpXBvN\n xGl5PUQwV1gFZ4e3txcs2AZamunUVVTBMA7bJTn5eGfbNjo9Xk1LB0XIuSc2d36u47ke\n Gxhdgjmkfk4ARz4Jjujwu8jEnfajnAa9eq9sbfon365pfDSmc9reJdctpvoBFwf3GhdL\n GM9gndkpa01Cq5B7R9TLzElcWLlahDMmiVHJWzeeK9CVcJQOsWfm3q3kv/2QTsbWViac\n DJM7VOWUaJE+jJTp943MunS5XUVlZo2gohnnmNNtEu3kbS6RLV2hKVQ93eJvoD3xW0Tp\n 8yoA==","X-Gm-Message-State":"AOJu0YxU1z+6FCFtUNl0sDGVKfsJH+PLfcUabANL5idhLj4Sw07aOS0n\n WkfFwkntWES7TennVSp4nMTDO/rj6TPgQNPDPPh6ic2fmMj9TFtuVzGMXFFXcdVhKrIf2DxD9CN\n PNp08IU4alILvolvqDGsJ5T75XXOef3Cg9ZV8bUcVRlkbKw14sYTO8oi473NN56lyEkj9mkjTYm\n C5eAHhC+CqCia8Ug==","X-Gm-Gg":"AeBDies400oyaw10JzwilOBN9wDdDhqxgHMAUqNRXVTZXcNCva7zM04mYakzx/ueSiM\n IiFzfAEgNJhPcFXGZbKcu0GnlMJlMqPgqf03eMh3vvFWJdRRM2yI7TERgoDQZeW/tTW4eQdRRoL\n jHa8teL7RcgmQCUR/y34NsVtCCRUe78XzuWK/x4hsbZOaMX+A+UCy+k7Tb1JhSfmrqhQVof9oPd\n HKRHrVKfWiVKY0q6oRaOuRq+CBFRe0rSS5RlAi6Q7emSMpaxGsd7C40H6Q/yQ/KlLqtsaIk23aO\n MLRjBiiTFTRe5SVfeNt1iG0cMvQojQVUj8MswUfsGpOKv/8XIUKGFWqJojVKkwXJ9rJOp/bQdKA\n +giLPjLdiKyqBQUJRupSYHN0nwzLQm2UQcELqu3VqVqcpRFcWGIKQylP+0r1r2pb21Umde3bi3J\n P1O2Dkp/GAfjChCdpJD5zA1GKtAfmc61TWi28ACR6nQaugnSQlIFeDDApzh0cwf498d9YVH+qbi\n pOlRcBR5hmkoQ==","X-Received":["by 2002:a05:6000:1786:b0:43b:4136:1e6f with SMTP id\n ffacd0b85a97d-4493ee4d4d0mr7340972f8f.38.1777577375468;\n Thu, 30 Apr 2026 12:29:35 -0700 (PDT)","by 2002:a05:6000:1786:b0:43b:4136:1e6f with SMTP id\n ffacd0b85a97d-4493ee4d4d0mr7340945f8f.38.1777577375003;\n Thu, 30 Apr 2026 12:29:35 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][J][PATCH v2 9/9] crypto: algif_aead - Fix minimum RX size check\n for decryption","Date":"Thu, 30 Apr 2026 21:28:30 +0200","Message-ID":"\n <e41a08b7ba655a0fba145d507bbfb66a25b050e9.1777577013.git.massimiliano.pellizzer@canonical.com>","X-Mailer":"git-send-email 2.53.0","In-Reply-To":"<cover.1777577013.git.massimiliano.pellizzer@canonical.com>","References":"\n <177757626672.818044.11792928639290212185@tuxedo-infinitybook.public>\n <cover.1777577013.git.massimiliano.pellizzer@canonical.com>","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"From: Herbert Xu <herbert@gondor.apana.org.au>\n\ncommit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c upstream.\n\nThe check for the minimum receive buffer size did not take the\ntag size into account during decryption.  Fix this by adding the\nrequired extra length.\n\nReported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com\nReported-by: Daniel Pouzzner <douzzer@mega.nu>\nFixes: d887c52d6ae4 (\"crypto: algif_aead - overhaul memory management\")\nSigned-off-by: Herbert Xu <herbert@gondor.apana.org.au>\nSigned-off-by: Eric Biggers <ebiggers@kernel.org>\nSigned-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>\n(cherry picked from commit fd427dd84f224309afbcc2cb67c7bb770a01265c linux-5.15.y)\nCVE-2026-31431\nSigned-off-by: Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>\n---\n crypto/algif_aead.c | 2 +-\n 1 file changed, 1 insertion(+), 1 deletion(-)","diff":"diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c\nindex 24e77f4968a61..4a285994d106c 100644\n--- a/crypto/algif_aead.c\n+++ b/crypto/algif_aead.c\n@@ -150,7 +150,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,\n \tif (usedpages < outlen) {\n \t\tsize_t less = outlen - usedpages;\n \n-\t\tif (used < less) {\n+\t\tif (used < less + (ctx->enc ? 0 : as)) {\n \t\t\terr = -EINVAL;\n \t\t\tgoto free;\n \t\t}\n","prefixes":["SRU","J","v2","9/9"]}