All of lore.kernel.org
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Doruk Tan Ozturk <doruk@0sec.ai>,
	Alexander Lobakin <aleksander.lobakin@intel.com>,
	Stefan Schmidt <stefan@datenfreihafen.org>
Subject: [PATCH 5.10 61/96] mac802154: llsec: add skb_cow_data() before in-place crypto
Date: Thu,  2 Jul 2026 18:19:53 +0200	[thread overview]
Message-ID: <20260702155110.264870584@linuxfoundation.org> (raw)
In-Reply-To: <20260702155108.949633242@linuxfoundation.org>

5.10-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Doruk Tan Ozturk <doruk@0sec.ai>

commit 84a04eb5b210643bd67aab81ff805d32f62aa865 upstream.

llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(),
llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform
in-place cryptographic transformations on skb data.  They build a
scatterlist with sg_init_one() pointing into the skb's linear data area
and then pass the same scatterlist as both src and dst to the crypto API
(e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt).

On the RX path, __ieee802154_rx_handle_packet() clones the received skb
before handing it to each subscriber via ieee802154_subif_frame().  The
cloned skb shares the same underlying data buffer via reference
counting.  When llsec_do_decrypt() subsequently modifies this shared
buffer in place, it corrupts data that other clones -- potentially
belonging to other sockets or subsystems -- still reference.

On the TX path, similar data sharing can occur when an skb's head has
been cloned (skb_cloned() returns true).

The fix is to call skb_cow_data() before performing any in-place crypto
operation.  skb_cow_data() ensures that the skb's data area is not
shared: if the skb head is cloned or the data spans multiple fragments,
it copies the data into a private buffer that can be safely modified in
place.  This is the same pattern used by:

  - ESP (net/ipv4/esp4.c, net/ipv6/esp6.c)
  - MACsec (drivers/net/macsec.c)
  - WireGuard (drivers/net/wireguard/receive.c)
  - TIPC (net/tipc/crypto.c)

Without this guard, in-place crypto on shared skb data leads to:
  - Silent data corruption of other skb clones
  - Use-after-free when the crypto API scatterwalk writes through a
    page that has already been freed by another clone's kfree_skb()
  - Kernel crashes under concurrent 802.15.4 traffic with security
    enabled (KASAN/KMSAN reports slab-use-after-free)

Found by 0sec (https://0sec.ai) using automated source analysis.

Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method")
Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method")
Cc: stable@vger.kernel.org
Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Closes: <link to your mail on lore>
Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/mac802154/llsec.c |   14 ++++++++++++++
 1 file changed, 14 insertions(+)

--- a/net/mac802154/llsec.c
+++ b/net/mac802154/llsec.c
@@ -710,6 +710,7 @@ int mac802154_llsec_encrypt(struct mac80
 {
 	struct ieee802154_hdr hdr;
 	int rc, authlen, hlen;
+	struct sk_buff *trailer;
 	struct mac802154_llsec_key *key;
 	u32 frame_ctr;
 
@@ -766,6 +767,12 @@ int mac802154_llsec_encrypt(struct mac80
 	skb->mac_len = ieee802154_hdr_push(skb, &hdr);
 	skb_reset_mac_header(skb);
 
+	rc = skb_cow_data(skb, 0, &trailer);
+	if (rc < 0) {
+		llsec_key_put(key);
+		return rc;
+	}
+
 	rc = llsec_do_encrypt(skb, sec, &hdr, key);
 	llsec_key_put(key);
 
@@ -905,6 +912,13 @@ llsec_do_decrypt(struct sk_buff *skb, co
 		 const struct ieee802154_hdr *hdr,
 		 struct mac802154_llsec_key *key, __le64 dev_addr)
 {
+	struct sk_buff *trailer;
+	int err;
+
+	err = skb_cow_data(skb, 0, &trailer);
+	if (err < 0)
+		return err;
+
 	if (hdr->sec.level == IEEE802154_SCF_SECLEVEL_ENC)
 		return llsec_do_decrypt_unauth(skb, sec, hdr, key, dev_addr);
 	else



  parent reply	other threads:[~2026-07-02 16:24 UTC|newest]

Thread overview: 116+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-02 16:18 [PATCH 5.10 00/96] 5.10.260-rc1 review Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 01/96] net/sched: act_pedit: use NLA_POLICY for parsing ex keys Greg Kroah-Hartman
2026-07-03 20:16   ` Ben Hutchings
2026-07-04  1:54     ` Wentao Guan
2026-07-05 13:51     ` Sasha Levin
2026-07-02 16:18 ` [PATCH 5.10 02/96] net/sched: transition act_pedit to rcu and percpu stats Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 03/96] net/sched: simplify tcf_pedit_act Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 04/96] net/sched: act_pedit: remove extra check for key type Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 05/96] net/sched: act_pedit: check static offsets a priori Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 06/96] net/sched: act_pedit: rate limit datapath messages Greg Kroah-Hartman
2026-07-02 16:18 ` [PATCH 5.10 07/96] net/sched: act_pedit: Parse L3 Header for L4 offset Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 08/96] net/sched: fix pedit partial COW leading to page cache corruption Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 09/96] net/sched: act_pedit: free pedit keys on bail from offset check Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 10/96] fuse: limit FUSE_NOTIFY_RETRIEVE to uptodate folios Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 11/96] slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd Greg Kroah-Hartman
2026-07-03 21:16   ` Ben Hutchings
2026-07-05 13:51     ` Sasha Levin
2026-07-02 16:19 ` [PATCH 5.10 12/96] drm/amd/display: Bound VBIOS record-chain walk loops Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 13/96] ip6_vti: set netns_immutable on the fallback device Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 14/96] net: add skb_header_pointer_careful() helper Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 15/96] net/sched: cls_u32: use skb_header_pointer_careful() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 16/96] drm/amd/display: Use krealloc_array() in dal_vector_reserve() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 17/96] net: 9p: fix refcount leak in p9_read_work() error handling Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 18/96] netdevsim: Fix memory leak of nsim_dev->fa_cookie Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 19/96] batman-adv: tt: reject oversized local TVLV buffers Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 20/96] batman-adv: tt: prevent TVLV entry number overflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 21/96] vfio/iommu_type1: replace kfree with kvfree Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 22/96] RDMA/bnxt_re: zero shared page before exposing to userspace Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 23/96] i2c: stub: Reject I2C block transfers with invalid length Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 24/96] net: qualcomm: rmnet: fix endpoint use-after-free in rmnet_dellink() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 25/96] agp/amd64: Fix broken error propagation in agp_amd64_probe() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 26/96] regulator: core: fix locking in regulator_resolve_supply() error path Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 27/96] vc_screen: fix null-ptr-deref in vcs_notifier() during concurrent vcs_write Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 28/96] media: vidtv: fix NULL pointer dereference in vidtv_mux_push_si Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 29/96] Documentation: ioctl-number: Extend "Include File" column width Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 30/96] crypto: qat - Replace kzalloc() + copy_from_user() with memdup_user() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 31/96] crypto: qat - Return pointer directly in adf_ctl_alloc_resources Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 32/96] crypto: qat - remove unused character device and IOCTLs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 33/96] net/sched: act_pedit: fix action bind logic Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 34/96] batman-adv: tp_meter: keep unacked list in ascending ordered Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 35/96] batman-adv: tp_meter: initialize dup_acks explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 36/96] batman-adv: tp_meter: initialize dec_cwnd explicitly Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 37/96] batman-adv: tp_meter: avoid window underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 38/96] batman-adv: tp_meter: avoid divide-by-zero for dec_cwnd Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 39/96] batman-adv: tp_meter: fix fast recovery precondition Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 40/96] batman-adv: tp_meter: handle seqno wrap-around for fast recovery detection Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 41/96] batman-adv: tp_meter: add only finished tp_vars to lists Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 42/96] batman-adv: bla: annotate lasttime access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 43/96] batman-adv: prevent ELP transmission interval underflow Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 44/96] batman-adv: tp_meter: initialize last_recv_time during init Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 45/96] batman-adv: frag: ensure fragment is writable before modifying TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 46/96] batman-adv: frag: avoid underflow of TTL Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 47/96] batman-adv: v: prevent OGM aggregation on disabled hardif Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 48/96] batman-adv: tp_meter: restrict number of unacked list entries Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 49/96] batman-adv: tp_meter: annotate last_recv_time access with READ/WRITE_ONCE Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 50/96] batman-adv: tp_meter: prevent parallel modifications of last_recv Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 51/96] batman-adv: tp_meter: handle overlapping packets Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 52/96] batman-adv: tt: dont merge change entries with different VIDs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 53/96] batman-adv: tt: track roam count per VID Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 54/96] batman-adv: dat: prevent false sharing between VLANs Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 55/96] batman-adv: tvlv: enforce 2-byte alignment Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 56/96] batman-adv: tvlv: avoid race of cifsnotfound handler state Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 57/96] ring-buffer: Remove ring_buffer_read_prepare_sync() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 58/96] ext4: add bounds check for inline data length in ext4_read_inline_page Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 59/96] crypto: af_alg - Set merge to zero early in af_alg_sendmsg Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 60/96] net: cpsw_new: Fix potential unregister of netdev that has not been registered yet Greg Kroah-Hartman
2026-07-02 16:19 ` Greg Kroah-Hartman [this message]
2026-07-02 16:19 ` [PATCH 5.10 62/96] KEYS: fix overflow in keyctl_pkey_params_get_2() Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 63/96] keys: Pin request_key_auth payload in instantiate paths Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 64/96] wifi: mt76: mt76x2u: Add support for ELECOM WDC-867SU3S Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 65/96] wifi: ath11k: fix warning when unbinding Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 66/96] wifi: rtlwifi: rtl8821ae: Fix C2H bit location in RX descriptor Greg Kroah-Hartman
2026-07-02 16:19 ` [PATCH 5.10 67/96] f2fs: validate ACL entry sizes in f2fs_acl_from_disk() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 68/96] bpf: use kvfree() for replaced sysctl write buffer Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 69/96] MIPS: DEC: Prevent initial console buffer from landing in XKPHYS Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 70/96] exfat: fix potential use-after-free in exfat_find_dir_entry() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 71/96] tipc: fix slab-use-after-free Read in tipc_aead_decrypt_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 72/96] pNFS: Fix use-after-free in pnfs_update_layout() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 73/96] irqchip/imgpdc: Fix resource leak, add missing chained handler cleanup on remove Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 74/96] fpga: region: fix use-after-free in child_regions_with_firmware() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 75/96] ocfs2: reject oversized group bitmap descriptors Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 76/96] KVM: SVM: Fix page overflow in sev_dbg_crypt() for ENCRYPT path Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 77/96] fbdev: Fix fb_new_modelist to prevent null-ptr-deref in fb_videomode_to_var Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 78/96] fbdev: modedb: Fix misaligned fields in the 1920x1080-60 mode Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 79/96] NFSD: Fix SECINFO_NO_NAME decode error cleanup Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 80/96] nfsd: fix posix_acl leak on SETACL decode failure Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 81/96] nfsd: check get_user() return when reading princhashlen Greg Kroah-Hartman
2026-07-05 20:15   ` Ben Hutchings
2026-07-06 14:08     ` Sasha Levin
2026-07-07 13:18       ` Chuck Lever
2026-07-02 16:20 ` [PATCH 5.10 82/96] dlm: prevent NPD when writing a positive value to event_done Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 83/96] usb: cdns3: gadget: fix NULL pointer dereference in ep_queue Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 84/96] bnxt_en: Modify bnxt_disable_int_sync() to be called more than once Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 85/96] bnxt_en: Fix NULL pointer dereference Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 86/96] hv: utils: handle and propagate errors in kvp_register Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 87/96] mptcp: fix missing wakeups in edge scenarios Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 88/96] misc: fastrpc: Add dma_mask to fastrpc_channel_ctx Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 89/96] misc: fastrpc: Fix NULL pointer dereference in rpmsg callback Greg Kroah-Hartman
2026-07-05 21:18   ` Ben Hutchings
2026-07-02 16:20 ` [PATCH 5.10 90/96] Drivers: hv: vmbus: Improve the logic of reserving fb_mmio on Gen2 VMs Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 91/96] phonet: Pass ifindex to fill_addr() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 92/96] phonet: Pass net and ifindex to phonet_address_notify() Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 93/96] net: phonet: free phonet_device after RCU grace period Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 94/96] mmc: renesas_sdhi: Add OF entry for RZ/G2H SoC Greg Kroah-Hartman
2026-07-05 22:15   ` Ben Hutchings
2026-07-06  7:52     ` Geert Uytterhoeven
2026-07-06 11:33       ` Prabhakar Mahadev Lad
2026-07-06 14:08         ` Sasha Levin
2026-07-06 14:15           ` Prabhakar Mahadev Lad
2026-07-02 16:20 ` [PATCH 5.10 95/96] misc: fastrpc: fix DMA address corruption due to find_vma misuse Greg Kroah-Hartman
2026-07-02 16:20 ` [PATCH 5.10 96/96] virtiofs: fix UAF on submount umount Greg Kroah-Hartman
2026-07-02 19:46 ` [PATCH 5.10 00/96] 5.10.260-rc1 review Brett A C Sheffield
2026-07-02 20:18 ` Woody Suwalski
2026-07-03  8:30 ` Pavel Machek
2026-07-03 13:54 ` Mark Brown
2026-07-06 10:29 ` Florian Fainelli

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260702155110.264870584@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=aleksander.lobakin@intel.com \
    --cc=doruk@0sec.ai \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=stefan@datenfreihafen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.