From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Anderson Nascimento <anderson@allelesecurity.com>,
David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jeffrey Altman <jaltman@auristor.com>,
Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, stable@kernel.org,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.12 35/35] rxrpc: Fix missing validation of ticket length in non-XDR key preparsing
Date: Fri, 24 Apr 2026 15:31:42 +0200 [thread overview]
Message-ID: <20260424132419.118980502@linuxfoundation.org> (raw)
In-Reply-To: <20260424132411.427029259@linuxfoundation.org>
6.12-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anderson Nascimento <anderson@allelesecurity.com>
commit ac33733b10b484d666f97688561670afd5861383 upstream.
In rxrpc_preparse(), there are two paths for parsing key payloads: the
XDR path (for large payloads) and the non-XDR path (for payloads <= 28
bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly
validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR
path fails to do so.
This allows an unprivileged user to provide a very large ticket length.
When this key is later read via rxrpc_read(), the total
token size (toksize) calculation results in a value that exceeds
AFSTOKEN_LENGTH_MAX, triggering a WARN_ON().
[ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc]
Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse()
to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX,
bringing it into parity with the XDR parsing logic.
Fixes: 8a7a3eb4ddbe ("KEYS: RxRPC: Use key preparsing")
Fixes: 84924aac08a4 ("rxrpc: Fix checker warning")
Reported-by: Anderson Nascimento <anderson@allelesecurity.com>
Signed-off-by: Anderson Nascimento <anderson@allelesecurity.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260422161438.2593376-7-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/key.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/net/rxrpc/key.c
+++ b/net/rxrpc/key.c
@@ -340,6 +340,10 @@ static int rxrpc_preparse(struct key_pre
if (v1->security_index != RXRPC_SECURITY_RXKAD)
goto error;
+ ret = -EKEYREJECTED;
+ if (v1->ticket_length > AFSTOKEN_RK_TIX_MAX)
+ goto error;
+
plen = sizeof(*token->kad) + v1->ticket_length;
prep->quotalen += plen + sizeof(*token);
next prev parent reply other threads:[~2026-04-24 13:44 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-24 13:31 [PATCH 6.12 00/35] 6.12.84-rc1 review Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 01/35] mm/userfaultfd: fix hugetlb fault mutex hash calculation Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 02/35] PCI: endpoint: pci-epf-vntb: Remove duplicate resource teardown Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 03/35] ima: verify if the segment size has changed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 04/35] ima: do not copy measurement list to kdump kernel Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 05/35] wifi: mac80211: always free skb on ieee80211_tx_prepare_skb() failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 06/35] rust: warn on bindgen < 0.69.5 and libclang >= 19.1 Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 07/35] net: ethernet: mtk_eth_soc: initialize PPE per-tag-layer MTU registers Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 08/35] drm/amdgpu: replace PASID IDR with XArray Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 09/35] scripts: generate_rust_analyzer.py: define scripts Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 10/35] mm/pagewalk: fix race between concurrent split and refault Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 11/35] ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 12/35] scripts/dtc: Remove unused dts_version in dtc-lexer.l Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 13/35] rxrpc: only handle RESPONSE during service challenge Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 14/35] fs/ntfs3: validate rec->used in journal-replay file record check Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 15/35] f2fs: fix to avoid memory leak in f2fs_rename() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 16/35] fuse: reject oversized dirents in page cache Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 17/35] fuse: Check for large folio with SPLICE_F_MOVE Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 18/35] fuse: quiet down complaints in fuse_conn_limit_write Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 19/35] ksmbd: require minimum ACE size in smb_check_perm_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 20/35] smb: server: fix active_num_conn leak on transport allocation failure Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 21/35] smb: server: fix max_connections off-by-one in tcp accept path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 22/35] smb: client: require a full NFS mode SID before reading mode bits Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 23/35] smb: client: fix OOB read in smb2_ioctl_query_info QUERY_INFO path Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 24/35] ksmbd: validate response sizes in ipc_validate_msg() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 25/35] ksmbd: validate num_aces and harden ACE walk in smb_inherit_dacl() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 26/35] ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 27/35] ksmbd: use check_add_overflow() to prevent u16 DACL size overflow Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 28/35] f2fs: fix use-after-free of sbi in f2fs_compress_write_end_io() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 29/35] ALSA: usb-audio: apply quirk for MOONDROP JU Jiu Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 30/35] ALSA: caiaq: take a reference on the USB device in create_card() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 31/35] net/packet: fix TOCTOU race on mmapd vnet_hdr in tpacket_snd() Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 32/35] crypto: ccp: Dont attempt to copy CSR to userspace if PSP command failed Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 33/35] crypto: ccp: Dont attempt to copy PDH cert " Greg Kroah-Hartman
2026-04-24 13:31 ` [PATCH 6.12 34/35] crypto: ccp: Dont attempt to copy ID " Greg Kroah-Hartman
2026-04-24 13:31 ` Greg Kroah-Hartman [this message]
2026-04-24 16:29 ` [PATCH 6.12 00/35] 6.12.84-rc1 review Peter Schneider
2026-04-24 19:36 ` Pavel Machek
2026-04-24 20:17 ` Florian Fainelli
2026-04-24 21:52 ` Mark Brown
2026-04-24 22:27 ` Shuah Khan
2026-04-25 3:27 ` Barry K. Nathan
2026-04-25 5:14 ` Christian Van
2026-04-25 7:33 ` Brett A C Sheffield
2026-04-25 12:24 ` Miguel Ojeda
2026-04-25 20:06 ` Ron Economos
2026-04-25 21:32 ` Francesco Dolcini
2026-04-27 9:02 ` Harshit Mogalapalli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260424132419.118980502@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=anderson@allelesecurity.com \
--cc=dhowells@redhat.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.