]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
5.10-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 08:34:57 +0000 (10:34 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 2 Jul 2026 08:34:57 +0000 (10:34 +0200)
added patches:
mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch

queue-5.10/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch [new file with mode: 0644]
queue-5.10/series

diff --git a/queue-5.10/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch b/queue-5.10/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch
new file mode 100644 (file)
index 0000000..8182e52
--- /dev/null
@@ -0,0 +1,98 @@
+From 84a04eb5b210643bd67aab81ff805d32f62aa865 Mon Sep 17 00:00:00 2001
+From: Doruk Tan Ozturk <doruk@0sec.ai>
+Date: Tue, 26 May 2026 20:37:26 +0200
+Subject: mac802154: llsec: add skb_cow_data() before in-place crypto
+
+From: Doruk Tan Ozturk <doruk@0sec.ai>
+
+commit 84a04eb5b210643bd67aab81ff805d32f62aa865 upstream.
+
+llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(),
+llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform
+in-place cryptographic transformations on skb data.  They build a
+scatterlist with sg_init_one() pointing into the skb's linear data area
+and then pass the same scatterlist as both src and dst to the crypto API
+(e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt).
+
+On the RX path, __ieee802154_rx_handle_packet() clones the received skb
+before handing it to each subscriber via ieee802154_subif_frame().  The
+cloned skb shares the same underlying data buffer via reference
+counting.  When llsec_do_decrypt() subsequently modifies this shared
+buffer in place, it corrupts data that other clones -- potentially
+belonging to other sockets or subsystems -- still reference.
+
+On the TX path, similar data sharing can occur when an skb's head has
+been cloned (skb_cloned() returns true).
+
+The fix is to call skb_cow_data() before performing any in-place crypto
+operation.  skb_cow_data() ensures that the skb's data area is not
+shared: if the skb head is cloned or the data spans multiple fragments,
+it copies the data into a private buffer that can be safely modified in
+place.  This is the same pattern used by:
+
+  - ESP (net/ipv4/esp4.c, net/ipv6/esp6.c)
+  - MACsec (drivers/net/macsec.c)
+  - WireGuard (drivers/net/wireguard/receive.c)
+  - TIPC (net/tipc/crypto.c)
+
+Without this guard, in-place crypto on shared skb data leads to:
+  - Silent data corruption of other skb clones
+  - Use-after-free when the crypto API scatterwalk writes through a
+    page that has already been freed by another clone's kfree_skb()
+  - Kernel crashes under concurrent 802.15.4 traffic with security
+    enabled (KASAN/KMSAN reports slab-use-after-free)
+
+Found by 0sec (https://0sec.ai) using automated source analysis.
+
+Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method")
+Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method")
+Cc: stable@vger.kernel.org
+Reported-by: Doruk Tan Ozturk <doruk@0sec.ai>
+Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/
+Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
+Signed-off-by: Doruk Tan Ozturk <doruk@0sec.ai>
+Closes: <link to your mail on lore>
+Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai
+Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac802154/llsec.c |   14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/net/mac802154/llsec.c
++++ b/net/mac802154/llsec.c
+@@ -710,6 +710,7 @@ int mac802154_llsec_encrypt(struct mac80
+ {
+       struct ieee802154_hdr hdr;
+       int rc, authlen, hlen;
++      struct sk_buff *trailer;
+       struct mac802154_llsec_key *key;
+       u32 frame_ctr;
+@@ -766,6 +767,12 @@ int mac802154_llsec_encrypt(struct mac80
+       skb->mac_len = ieee802154_hdr_push(skb, &hdr);
+       skb_reset_mac_header(skb);
++      rc = skb_cow_data(skb, 0, &trailer);
++      if (rc < 0) {
++              llsec_key_put(key);
++              return rc;
++      }
++
+       rc = llsec_do_encrypt(skb, sec, &hdr, key);
+       llsec_key_put(key);
+@@ -905,6 +912,13 @@ llsec_do_decrypt(struct sk_buff *skb, co
+                const struct ieee802154_hdr *hdr,
+                struct mac802154_llsec_key *key, __le64 dev_addr)
+ {
++      struct sk_buff *trailer;
++      int err;
++
++      err = skb_cow_data(skb, 0, &trailer);
++      if (err < 0)
++              return err;
++
+       if (hdr->sec.level == IEEE802154_SCF_SECLEVEL_ENC)
+               return llsec_do_decrypt_unauth(skb, sec, hdr, key, dev_addr);
+       else
index 3c2d421562d96a36604a86b643fd46cc3967f804..40ea938021f2f3f1337b8ca8178fda2aecaa2a3e 100644 (file)
@@ -58,3 +58,4 @@ ring-buffer-remove-ring_buffer_read_prepare_sync.patch
 ext4-add-bounds-check-for-inline-data-length-in-ext4.patch
 crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch
 net-cpsw_new-fix-potential-unregister-of-netdev-that.patch
+mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch