From: Breno Leitao <leitao@debian.org>
To: Doruk Tan Ozturk <doruk@0sec.ai>
Cc: alex.aring@gmail.com, stefan@datenfreihafen.org,
miquel.raynal@bootlin.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
horms@kernel.org, linux-wpan@vger.kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net v2] mac802154: llsec: reject frames shorter than the authentication tag
Date: Fri, 17 Jul 2026 01:05:15 -0700 [thread overview]
Message-ID: <alniMI0L968UYhkq@gmail.com> (raw)
In-Reply-To: <20260716193106.30607-1-doruk@0sec.ai>
On Thu, Jul 16, 2026 at 09:31:06PM +0200, Doruk Tan Ozturk wrote:
> llsec_do_decrypt_auth() computes the associated-data length for the
> AEAD request as
>
> assoclen += datalen - authlen;
>
> where datalen is the number of bytes after the MAC header and authlen
> (4, 8 or 16) is the length of the authentication tag. Nothing verifies
> that the frame actually carries at least authlen payload bytes. A
> secured frame whose payload is shorter than the tag makes
> datalen - authlen negative; assoclen is then passed to
> aead_request_set_ad() as an unsigned value close to 4 GiB, so
> crypto_aead_decrypt() walks far off the end of the scatterlist that
> only spans the real frame.
>
> The frame is fully attacker-controlled and reaches this path from any
> IEEE 802.15.4 peer in radio range. Reject frames whose payload is
> shorter than the authentication tag before the subtraction.
>
> Dynamically reproduced on a KASAN kernel as a general-protection-fault
> in the AEAD scatterwalk, and the fix confirmed.
>
> Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method")
> Cc: stable@vger.kernel.org
> Assisted-by: 0sec:multi-model
> Reviewed-by: Simon Horman <horms@kernel.org>
> Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
Reviwed-by: Breno Leitao <leitao@debian.org>
next prev parent reply other threads:[~2026-07-17 8:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 13:12 [PATCH net] mac802154: llsec: reject frames shorter than the authentication tag Doruk Tan Ozturk
2026-07-16 10:09 ` Simon Horman
2026-07-16 13:23 ` Breno Leitao
2026-07-16 19:31 ` Doruk Tan Ozturk
2026-07-16 19:31 ` [PATCH net v2] " Doruk Tan Ozturk
2026-07-17 8:05 ` Breno Leitao [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-07-16 19:34 Doruk Tan Ozturk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=alniMI0L968UYhkq@gmail.com \
--to=leitao@debian.org \
--cc=alex.aring@gmail.com \
--cc=davem@davemloft.net \
--cc=doruk@0sec.ai \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=miquel.raynal@bootlin.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=stefan@datenfreihafen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.