From: Herbert Xu <herbert@gondor.apana.org.au> stable inclusion from stable-v5.10.254 commit 74a66fdb5282d89e348b00c42cfca3a936946d94 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/14174 cve: cve-2026-31431 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c upstream. The check for the minimum receive buffer size did not take the tag size into account during decryption. Fix this by adding the required extra length. Reported-by: syzbot+aa11561819dc42ebbc7c@syzkaller.appspotmail.com Reported-by: Daniel Pouzzner <douzzer@mega.nu> Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: crypto/af_alg.c [Context conflicts] Signed-off-by: GONG Ruiqi <gongruiqi1@huawei.com> --- crypto/algif_aead.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c index dfe6b0230fcb..79649f1e4995 100644 --- a/crypto/algif_aead.c +++ b/crypto/algif_aead.c @@ -154,7 +154,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg, if (usedpages < outlen) { size_t less = outlen - usedpages; - if (used < less) { + if (used < less + (ctx->enc ? 0 : as)) { err = -EINVAL; goto free; } -- 2.43.0