[PATCH net v4 12/15] rxrpc: reject undecryptable rxkad response tickets

All of lore.kernel.org
 help / color / mirror / Atom feed

From: David Howells <dhowells@redhat.com>
To: netdev@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
	Marc Dionne <marc.dionne@auristor.com>,
	Jakub Kicinski <kuba@kernel.org>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Paolo Abeni <pabeni@redhat.com>,
	linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org,
	Yuqi Xu <xuyuqiabc@gmail.com>, Yifan Wu <yifanwucs@gmail.com>,
	Juefei Pu <tomapufckgml@gmail.com>,
	Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>,
	Ren Wei <enjou1224z@gmail.com>, Ren Wei <n05ec@lzu.edu.cn>,
	Simon Horman <horms@kernel.org>,
	stable@kernel.org
Subject: [PATCH net v4 12/15] rxrpc: reject undecryptable rxkad response tickets
Date: Wed,  1 Apr 2026 11:56:05 +0100	[thread overview]
Message-ID: <20260401105614.1696001-13-dhowells@redhat.com> (raw)
In-Reply-To: <20260401105614.1696001-1-dhowells@redhat.com>

From: Yuqi Xu <xuyuqiabc@gmail.com>

rxkad_decrypt_ticket() decrypts the RXKAD response ticket and then
parses the buffer as plaintext without checking whether
crypto_skcipher_decrypt() succeeded.

A malformed RESPONSE can therefore use a non-block-aligned ticket
length, make the decrypt operation fail, and still drive the ticket
parser with attacker-controlled bytes.

Check the decrypt result and abort the connection with RXKADBADTICKET
when ticket decryption fails.

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Yuqi Xu <xuyuqiabc@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Eric Dumazet <edumazet@google.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: stable@kernel.org
---
 net/rxrpc/rxkad.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/rxrpc/rxkad.c b/net/rxrpc/rxkad.c
index e923d6829008..0f79d694cb08 100644
--- a/net/rxrpc/rxkad.c
+++ b/net/rxrpc/rxkad.c
@@ -958,6 +958,7 @@ static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 	struct in_addr addr;
 	unsigned int life;
 	time64_t issue, now;
+	int ret;
 	bool little_endian;
 	u8 *p, *q, *name, *end;
 
@@ -977,8 +978,11 @@ static int rxkad_decrypt_ticket(struct rxrpc_connection *conn,
 	sg_init_one(&sg[0], ticket, ticket_len);
 	skcipher_request_set_callback(req, 0, NULL, NULL);
 	skcipher_request_set_crypt(req, sg, sg, ticket_len, iv.x);
-	crypto_skcipher_decrypt(req);
+	ret = crypto_skcipher_decrypt(req);
 	skcipher_request_free(req);
+	if (ret < 0)
+		return rxrpc_abort_conn(conn, skb, RXKADBADTICKET, -EPROTO,
+					rxkad_abort_resp_tkt_short);
 
 	p = ticket;
 	end = p + ticket_len;

next prev parent reply	other threads:[~2026-04-01 10:57 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-01 10:55 [PATCH net v4 00/15] rxrpc: Miscellaneous fixes David Howells
2026-04-01 10:55 ` [PATCH net v4 01/15] rxrpc: Fix key quota calculation for multitoken keys David Howells
2026-04-01 10:55 ` [PATCH net v4 02/15] rxrpc: Fix key parsing memleak David Howells
2026-04-01 10:55 ` [PATCH net v4 03/15] rxrpc: Fix anonymous key handling David Howells
2026-04-01 10:55 ` [PATCH net v4 04/15] rxrpc: Fix call removal to use RCU safe deletion David Howells
2026-04-01 12:42   ` David Howells
2026-04-01 10:55 ` [PATCH net v4 05/15] rxrpc: Fix RxGK token loading to check bounds David Howells
2026-04-01 10:55 ` [PATCH net v4 06/15] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial David Howells
2026-04-01 10:56 ` [PATCH net v4 07/15] rxrpc: Fix rack timer warning to report unexpected mode David Howells
2026-04-01 10:56 ` [PATCH net v4 08/15] rxrpc: Fix keyring reference count leak in rxrpc_setsockopt() David Howells
2026-04-01 10:56 ` [PATCH net v4 09/15] rxrpc: Fix key reference count leak from call->key David Howells
2026-04-01 10:56 ` [PATCH net v4 10/15] rxrpc: Fix to request an ack if window is limited David Howells
2026-04-01 10:56 ` [PATCH net v4 11/15] rxrpc: Only put the call ref if one was acquired David Howells
2026-04-01 10:56 ` David Howells [this message]
2026-04-01 10:56 ` [PATCH net v4 13/15] rxrpc: fix RESPONSE authenticator parser OOB read David Howells
2026-04-01 10:56 ` [PATCH net v4 14/15] rxrpc: fix oversized RESPONSE authenticator length check David Howells
2026-04-01 10:56 ` [PATCH net v4 15/15] rxrpc: fix reference count leak in rxrpc_server_keyring() David Howells
2026-04-01 16:14   ` Anderson Nascimento
2026-04-01 19:32     ` David Howells
2026-04-02  2:22       ` Jakub Kicinski
2026-04-08 10:49         ` David Howells
2026-04-08 17:52           ` Jakub Kicinski
2026-04-08 10:50     ` David Howells
2026-04-08 10:53       ` David Howells

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e923d682900 dfblob:0f79d694cb0 )
 OR (
bs:"[PATCH net v4 12/15] rxrpc: reject undecryptable rxkad response tickets" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260401105614.1696001-13-dhowells@redhat.com \
    --to=dhowells@redhat.com \
    --cc=bird@lzu.edu.cn \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=enjou1224z@gmail.com \
    --cc=horms@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-afs@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marc.dionne@auristor.com \
    --cc=n05ec@lzu.edu.cn \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=stable@kernel.org \
    --cc=tomapufckgml@gmail.com \
    --cc=xuyuqiabc@gmail.com \
    --cc=yifanwucs@gmail.com \
    --cc=yuantan098@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.