From: "Muhammet Kaan KILINÇ" <muhammetkaankilinc@gmail.com>
To: herbert@gondor.apana.org.au, ebiggers@kernel.org
Cc: linux-crypto@vger.kernel.org, stable@vger.kernel.org,
sashal@kernel.org,
"Muhammet Kaan KILINÇ" <muhammetkaankilinc@gmail.com>
Subject: [PATCH 0/2] crypto: algif_skcipher - fix AIO IV race in stable trees
Date: Sun, 5 Jul 2026 22:01:09 +0000 [thread overview]
Message-ID: <20260705220112.2522-1-muhammetkaankilinc@gmail.com> (raw)
The AF_ALG skcipher AIO path passes the socket-wide ctx->iv as a raw
pointer into the async request. After io_submit() the socket lock is
dropped and the request is processed by a worker, which dereferences
ctx->iv only later. A concurrent sendmsg(ALG_SET_IV) on the same socket
can overwrite ctx->iv inside this window, so the in-flight request runs
under an attacker-controlled IV. For CTR and other stream modes this is
IV/keystream reuse and lets an unprivileged user recover the
plaintext of a concurrent operation.
Mainline removed the AIO socket path entirely in commit fcc77d33a34c
("net: Remove support for AIO on sockets"), a broad net/ cleanup that is
not appropriate for a stable backport. The minimal stable fix mirrors the
algif_aead change 5aa58c3a572b ("crypto: algif_aead - snapshot IV for
async AEAD requests"). The supported stable trees split into two cases:
- 6.12.y and 6.19.y carry ctx->state, so a per-request IV snapshot is
sufficient (patch 1).
- 6.1.y and 6.6.y lack ctx->state and chain the IV in-place; there a
snapshot alone would break MSG_MORE chaining and a completion-path
writeback would reintroduce a race on ctx->iv outside the socket
lock, so the AIO path is made synchronous, matching the upstream
removal (patch 2). Patch 2 applies to both 6.1.y and 6.6.y.
This is distinct from CVE-2026-31677 (a skcipher receive-accounting
fix); it is an IV-handling race, not a receive-space guardrail.
Reported to security@kernel.org on 2026-06-07 (follow-up 2026-06-19, no
response). As the mainline removal is independent of that report and is
not backportable, I am sending the stable fix here.
Verified:
- 6.19.14 (patch 1): unpatched recovers plaintext on 2857/200000 AIO
ops (100% of injected cases); patched 0/0; MSG_MORE chunked output
bit-identical to single-shot.
- 6.6.143 (patch 2): unpatched injects the attacker IV on 2296/200000
ops; patched 0/200000; MSG_MORE chunked output bit-identical to
single-shot.
A working PoC is available to maintainers on request; it will be
published after the fix is picked up by the stable trees.
Muhammet Kaan KILINÇ (2):
crypto: algif_skcipher - snapshot IV for async skcipher requests
crypto: algif_skcipher - force synchronous processing on trees without
ctx->state
next reply other threads:[~2026-07-05 22:01 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-05 22:01 Muhammet Kaan KILINÇ [this message]
2026-07-05 22:01 ` [PATCH 1/2] crypto: algif_skcipher - snapshot IV for async skcipher requests Muhammet Kaan KILINÇ
2026-07-06 14:08 ` Sasha Levin
2026-07-05 22:01 ` [PATCH 2/2] crypto: algif_skcipher - force synchronous processing on trees without ctx->state Muhammet Kaan KILINÇ
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260705220112.2522-1-muhammetkaankilinc@gmail.com \
--to=muhammetkaankilinc@gmail.com \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox