From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, David Howells <dhowells@redhat.com>,
Marc Dionne <marc.dionne@auristor.com>,
Jeffrey Altman <jaltman@auristor.com>,
Simon Horman <horms@kernel.org>,
linux-afs@lists.infradead.org, stable@kernel.org,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.18 78/83] rxrpc: Fix integer overflow in rxgk_verify_response()
Date: Mon, 13 Apr 2026 18:00:46 +0200 [thread overview]
Message-ID: <20260413155733.906676015@linuxfoundation.org> (raw)
In-Reply-To: <20260413155731.019638460@linuxfoundation.org>
6.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit 699e52180f4231c257821c037ed5c99d5eb0edb8 upstream.
In rxgk_verify_response(), there's a potential integer overflow due to
rounding up token_len before checking it, thereby allowing the length check to
be bypassed.
Fix this by checking the unrounded value against len too (len is limited as
the response must fit in a single UDP packet).
Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-18-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/rxgk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1209,7 +1209,8 @@ static int rxgk_verify_response(struct r
token_offset = offset;
token_len = ntohl(rhdr.token_len);
- if (xdr_round_up(token_len) + sizeof(__be32) > len)
+ if (token_len > len ||
+ xdr_round_up(token_len) + sizeof(__be32) > len)
goto short_packet;
trace_rxrpc_rx_response(conn, sp->hdr.serial, 0, sp->hdr.cksum, token_len);
next prev parent reply other threads:[~2026-04-13 16:10 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 15:59 [PATCH 6.18 00/83] 6.18.23-rc1 review Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 01/83] usb: typec: ucsi: skip connector validation before init Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 02/83] wifi: rt2x00usb: fix devres lifetime Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 03/83] xfrm_user: fix info leak in build_report() Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 04/83] net: rfkill: prevent unlimited numbers of rfkill events from being created Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 05/83] Revert "ALSA: hda/realtek: Add quirk for Gigabyte Technology to fix headphone" Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 06/83] Revert "mptcp: add needs_id for netlink appending addr" Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 07/83] mptcp: fix slab-use-after-free in __inet_lookup_established Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 08/83] seg6: separate dst_cache for input and output paths in seg6 lwtunnel Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 09/83] Input: uinput - fix circular locking dependency with ff-core Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 10/83] Input: uinput - take event lock when submitting FF request "event" Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 11/83] MIPS: Always record SEGBITS in cpu_data.vmbits Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 12/83] MIPS: mm: Suppress TLB uniquification on EHINV hardware Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 13/83] MIPS: mm: Rewrite TLB uniquification for the hidden bit feature Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 14/83] btrfs: remove pointless out labels from extent-tree.c Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 15/83] btrfs: fix incorrect return value after changing leaf in lookup_extent_data_ref() Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 16/83] af_unix: Count cyclic SCC Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 17/83] af_unix: Simplify GC state Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 18/83] af_unix: Give up GC if MSG_PEEK intervened Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 19/83] i2c: imx: zero-initialize dma_slave_config for eDMA Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 20/83] netfilter: nft_ct: fix use-after-free in timeout object destroy Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 21/83] firmware: thead: Fix buffer overflow and use standard endian macros Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 22/83] workqueue: Add pool_workqueue to pending_pwqs list when unplugging multiple inactive works Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 23/83] modpost: Declare extra_warn with unused attribute Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 24/83] xfrm: clear trailing padding in build_polexpire() Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 25/83] xfrm: hold dev ref until after transport_finish NF_HOOK Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 26/83] tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 27/83] wifi: brcmsmac: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 28/83] platform/x86: ISST: Reset core count to 0 Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 29/83] platform/x86/intel-uncore-freq: Handle autonomous UFS status bit Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 30/83] Revert "arm64: dts: rockchip: Further describe the WiFi for the Pinebook Pro" Greg Kroah-Hartman
2026-04-13 15:59 ` [PATCH 6.18 31/83] Revert "arm64: dts: imx8mq-librem5: Set the DVS voltages lower" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 32/83] arm64: dts: imx8mq-librem5: Bump BUCK1 suspend voltage up to 0.85V Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 33/83] arm64: dts: renesas: sparrow-hawk: Reserve first 128 MiB of DRAM Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 34/83] arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 35/83] arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 36/83] nfc: pn533: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 37/83] batman-adv: reject oversized global TT response buffers Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 38/83] X.509: Fix out-of-bounds access when parsing extensions Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 39/83] EDAC/mc: Fix error path ordering in edac_mc_alloc() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 40/83] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 41/83] net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 42/83] batman-adv: hold claim backbone gateways by reference Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 43/83] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 44/83] drm/i915/psr: Do not use pipe_src as borders for SU area Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 45/83] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 46/83] pmdomain: imx8mp-blk-ctrl: Keep the NOC_HDCP clock enabled Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 47/83] igb: remove napi_synchronize() in igb_down() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 48/83] mm/memory_hotplug: maintain N_NORMAL_MEMORY during hotplug Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 49/83] mm/damon/sysfs: dealloc repeat_call_control if damon_call() fails Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 50/83] mm/damon/stat: deallocate damon_call() failure leaking damon_ctx Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 51/83] mmc: vub300: fix NULL-deref on disconnect Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 52/83] mmc: vub300: fix use-after-free " Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 53/83] net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 54/83] net: stmmac: fix integer underflow in chain mode Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 55/83] mm: filemap: fix nr_pages calculation overflow in filemap_map_pages() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 56/83] idpf: fix PREEMPT_RT raw/bh spinlock nesting for async VC handling Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 57/83] idpf: improve locking around idpf_vc_xn_push_free() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 58/83] idpf: set the payload size before calling the async handler Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 59/83] net: lan966x: fix page_pool error handling in lan966x_fdma_rx_alloc_page_pool() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 60/83] net: lan966x: fix page pool leak in error paths Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 61/83] net: lan966x: fix use-after-free and leak in lan966x_fdma_reload() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 62/83] rxrpc: Fix key quota calculation for multitoken keys Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 63/83] rxrpc: Fix key parsing memleak Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 64/83] rxrpc: Fix anonymous key handling Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 65/83] rxrpc: Fix call removal to use RCU safe deletion Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 66/83] rxrpc: Fix RxGK token loading to check bounds Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 67/83] rxrpc: Fix use of wrong skb when comparing queued RESP challenge serial Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 68/83] rxrpc: Fix rack timer warning to report unexpected mode Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 69/83] rxrpc: Fix key reference count leak from call->key Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 70/83] rxrpc: Fix to request an ack if window is limited Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 71/83] rxrpc: Only put the call ref if one was acquired Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 72/83] rxrpc: reject undecryptable rxkad response tickets Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 73/83] rxrpc: fix RESPONSE authenticator parser OOB read Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 74/83] rxrpc: fix oversized RESPONSE authenticator length check Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 75/83] rxrpc: fix reference count leak in rxrpc_server_keyring() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 76/83] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 77/83] rxrpc: Fix missing error checks for rxkad encryption/decryption failure Greg Kroah-Hartman
2026-04-13 16:00 ` Greg Kroah-Hartman [this message]
2026-04-13 16:00 ` [PATCH 6.18 79/83] rxrpc: Fix leak of rxgk context in rxgk_verify_response() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 80/83] rxrpc: Fix buffer overread in rxgk_do_verify_authenticator() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 81/83] rxrpc: only handle RESPONSE during service challenge Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 82/83] rxrpc: proc: size address buffers for %pISpc output Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.18 83/83] net: skb: fix cross-cache free of KFENCE-allocated skb head Greg Kroah-Hartman
2026-04-13 17:43 ` [PATCH 6.18 00/83] 6.18.23-rc1 review Brett A C Sheffield
2026-04-13 19:33 ` Florian Fainelli
2026-04-14 7:44 ` Wentao Guan
2026-04-14 7:54 ` Jon Hunter
2026-04-14 8:09 ` Pavel Machek
2026-04-14 11:31 ` Ron Economos
2026-04-14 17:42 ` Shuah Khan
2026-04-14 18:12 ` Miguel Ojeda
2026-04-14 19:37 ` Peter Schneider
2026-04-14 21:11 ` Barry K. Nathan
2026-04-15 3:48 ` Shung-Hsi Yu
2026-04-15 10:13 ` Mark Brown
2026-04-15 18:38 ` Dileep malepu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413155733.906676015@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=horms@kernel.org \
--cc=jaltman@auristor.com \
--cc=kuba@kernel.org \
--cc=linux-afs@lists.infradead.org \
--cc=marc.dionne@auristor.com \
--cc=patches@lists.linux.dev \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox