[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2025-39964 - Kernel - mailweb.openeuler.org

newer
[PATCH OLK-6.6 v8 0/9] Add xcall...

[PATCH openEuler-1.0-LTS 0/2] Fix CVE-2025-39964

older
[PATCH OLK-6.6 0/5] zcopy: A...

Gu Bowen

14 Nov 2025 14 Nov '25

10:59 a.m.

CVE-2025-39964 Eric Biggers (1): crypto: af_alg - Fix incorrect boolean values in af_alg_ctx Herbert Xu (1): crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg crypto/af_alg.c | 7 +++++++ include/crypto/if_alg.h | 10 ++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) -- 2.43.0

Reply

Sign in to reply online Use email software

Show replies by date

patchwork bot

14 Nov 14 Nov

10:50 a.m.

反馈：您发送到kernel@openeuler.org的补丁/补丁集，已成功转换为PR！ PR链接地址： https://gitee.com/openeuler/kernel/pulls/18973 邮件列表地址：https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/UG3... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://gitee.com/openeuler/kernel/pulls/18973 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/UG3...

Reply

Sign in to reply online Use email software

Gu Bowen

10:59 a.m.

New subject: [PATCH openEuler-1.0-LTS 1/2] crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

From: Herbert Xu <herbert@gondor.apana.org.au> mainline inclusion from mainline-v6.17-rc7 commit 1b34cbbf4f011a121ef7b2d7d6e6920a036d5285 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID1OXK CVE: CVE-2025-39964 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a new ctx->write field that indiciates exclusive ownership for writing. Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations") Reported-by: Muhammad Alifa Ramdhan <ramdhan@starlabs.sg> Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- crypto/af_alg.c | 7 +++++++ include/crypto/if_alg.h | 10 ++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index fdccf8c9c4ff..69c21b047566 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -865,6 +865,12 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, } lock_sock(sk); + if (ctx->write) { + release_sock(sk); + return -EBUSY; + } + ctx->write = true; + if (ctx->init && !ctx->more) { if (ctx->used) { err = -EINVAL; @@ -972,6 +978,7 @@ int af_alg_sendmsg(struct socket *sock, struct msghdr *msg, size_t size, unlock: af_alg_data_wakeup(sk); + ctx->write = false; release_sock(sk); return copied ?: err; diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index 9ff2826cdd48..db6480e95948 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -140,6 +140,7 @@ struct af_alg_async_req { * SG? * @enc: Cryptographic operation to be performed when * recvmsg is invoked. + * @write: True if we are in the middle of a write. * @init: True if metadata has been sent. * @len: Length of memory allocated for this data structure. * @inflight: Non-zero when AIO requests are in flight. @@ -155,10 +156,11 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - bool more; - bool merge; - bool enc; - bool init; + u32 more:1, + merge:1, + enc:1, + write:1, + init:1; unsigned int len; -- 2.43.0

Reply

Sign in to reply online Use email software

Gu Bowen

10:59 a.m.

New subject: [PATCH openEuler-1.0-LTS 2/2] crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

From: Eric Biggers <ebiggers@kernel.org> mainline inclusion from mainline-v6.17 commit d0ca0df179c4b21e2a6c4a4fb637aa8fa14575cb category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID1OXK CVE: CVE-2025-39964 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ------------------------------- Commit 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") changed some fields from bool to 1-bit bitfields of type u32. However, some assignments to these fields, specifically 'more' and 'merge', assign values greater than 1. These relied on C's implicit conversion to bool, such that zero becomes false and nonzero becomes true. With a 1-bit bitfields of type u32 instead, mod 2 of the value is taken instead, resulting in 0 being assigned in some cases when 1 was intended. Fix this by restoring the bool type. Fixes: 1b34cbbf4f01 ("crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg") Cc: stable@vger.kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Gu Bowen <gubowen5@huawei.com> --- include/crypto/if_alg.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index db6480e95948..ca3cd8118639 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -156,7 +156,7 @@ struct af_alg_ctx { size_t used; atomic_t rcvused; - u32 more:1, + bool more:1, merge:1, enc:1, write:1, -- 2.43.0

Reply

Sign in to reply online Use email software

1

Age (days ago)

1

Last active (days ago)

3 comments

2 participants

tags

participants (2)

Gu Bowen
patchwork bot