[PATCH OLK-6.6 0/2] Fix CVE-2025-39964 - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-6.6] net: usb: asix:...

[PATCH OLK-6.6 0/2] Fix CVE-2025-39964

older
[PATCH OLK-6.6 0/4] CVE-2025-40179

Gu Bowen

24 Nov 2025 24 Nov '25

4:37 p.m.

CVE-2025-39964 Eric Biggers (1): crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Herbert Xu (1): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto/af_alg.c | 7 +++++++ include/crypto/if_alg.h | 10 ++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) -- 2.43.0

Reply

Sign in to reply online Use email software

Show replies by date

patchwork bot

24 Nov 24 Nov

4:26 p.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/19213 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/ALD... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/19213 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/ALD...

Reply

Sign in to reply online Use email software

Gu Bowen

4:37 p.m.

New subject: [PATCH OLK-6.6 1/2] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

From: Herbert Xu <herbert@gondor.apana.org.au> stable inclusion from stable-v6.6.108 commit 7c4491b5644e3a3708f3dbd7591be0a570135b84 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID1OXK CVE: CVE-2025-39964 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 upstream. Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- crypto/af_alg.c | 7 +++++++ include/crypto/if_alg.h | 10 ++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 80e95d0d0c45..886eccb97b04 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -969,6 +969,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -1104,6 +1110,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index bb5f20644786..384684b36aaa 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -140,6 +140,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -155,10 +156,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len; -- 2.43.0

Reply

Sign in to reply online Use email software

Gu Bowen

4:37 p.m.

New subject: [PATCH OLK-6.6 2/2] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

From: Eric Biggers <ebiggers@kernel.org> stable inclusion from stable-v6.6.108 commit 8703940bd30b5ad94408d28d7192db2491cd3592 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID1OXK CVE: CVE-2025-39964 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb upstream. Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type. Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- include/crypto/if_alg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 384684b36aaa..2e43d7704d1d 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -156,7 +156,7 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - u32 more:1, + bool more:1, merge:1, enc:1, write:1, -- 2.43.0

Reply

Sign in to reply online Use email software

0

Age (days ago)

0

Last active (days ago)

3 comments

2 participants

tags

participants (2)

Gu Bowen
patchwork bot