From: Eric Biggers <ebiggers@kernel.org>
To: stable@vger.kernel.org
Cc: linux-crypto@vger.kernel.org,
Herbert Xu <herbert@gondor.apana.org.au>,
syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH 6.1 8/9] crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl
Date: Wed, 29 Apr 2026 23:27:30 -0700 [thread overview]
Message-ID: <20260430062731.140497-9-ebiggers@kernel.org> (raw)
In-Reply-To: <20260430062731.140497-1-ebiggers@kernel.org>
From: Herbert Xu <herbert@gondor.apana.org.au>
commit 31d00156e50ecad37f2cb6cbf04aaa9a260505ef upstream.
When page reassignment was added to af_alg_pull_tsgl the original
loop wasn't updated so it may try to reassign one more page than
necessary.
Add the check to the reassignment so that this does not happen.
Also update the comment which still refers to the obsolete offset
argument.
Reported-by: syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com
Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/af_alg.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index edf13ab8bf37..54494af50ba1 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -592,12 +592,12 @@ void af_alg_pull_tsgl(struct sock *sk, size_t used, struct scatterlist *dst)
/*
* Assumption: caller created af_alg_count_tsgl(len)
* SG entries in dst.
*/
- if (dst) {
- /* reassign page to dst after offset */
+ if (dst && plen) {
+ /* reassign page to dst */
get_page(page);
sg_set_page(dst + j, page, plen, sg[i].offset);
j++;
}
--
2.54.0
next prev parent reply other threads:[~2026-04-30 6:29 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-30 6:27 [PATCH 6.1 0/9] AF_ALG fixes Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 1/9] crypto: scatterwalk - Backport memcpy_sglist() Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 2/9] crypto: algif_aead - use memcpy_sglist() instead of null skcipher Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 3/9] crypto: algif_aead - Revert to operating out-of-place Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 4/9] crypto: algif_aead - snapshot IV for async AEAD requests Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 5/9] crypto: authenc - use memcpy_sglist() instead of null skcipher Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 6/9] crypto: authencesn - Do not place hiseq at end of dst for out-of-place decryption Eric Biggers
2026-04-30 6:27 ` [PATCH 6.1 7/9] crypto: authencesn - Fix src offset when decrypting in-place Eric Biggers
2026-04-30 6:27 ` Eric Biggers [this message]
2026-04-30 6:27 ` [PATCH 6.1 9/9] crypto: algif_aead - Fix minimum RX size check for decryption Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260430062731.140497-9-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+d23888375c2737c17ba5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox