From: Greg Kroah-Hartman Date: Mon, 4 May 2026 12:21:02 +0000 (+0200) Subject: 6.12-stable patches X-Git-Tag: v6.12.86~16 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ea72c48f0209aa7c30ecb267994731d018deccac;p=thirdparty%2Fkernel%2Fstable-queue.git 6.12-stable patches added patches: crypto-authencesn-reject-short-ahash-digests-during-instance-creation.patch net-bonding-fix-use-after-free-in-bond_xmit_broadcast.patch --- diff --git a/queue-6.12/crypto-authencesn-reject-short-ahash-digests-during-instance-creation.patch b/queue-6.12/crypto-authencesn-reject-short-ahash-digests-during-instance-creation.patch new file mode 100644 index 0000000000..858e4ef904 --- /dev/null +++ b/queue-6.12/crypto-authencesn-reject-short-ahash-digests-during-instance-creation.patch @@ -0,0 +1,60 @@ +From 5db6ef9847717329f12c5ea8aba7e9f588a980c0 Mon Sep 17 00:00:00 2001 +From: Yucheng Lu +Date: Wed, 22 Apr 2026 21:45:04 +0800 +Subject: crypto: authencesn - reject short ahash digests during instance creation + +From: Yucheng Lu + +commit 5db6ef9847717329f12c5ea8aba7e9f588a980c0 upstream. + +authencesn requires either a zero authsize or an authsize of at least +4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of +high-order sequence number data at the end of the authenticated data. + +While crypto_authenc_esn_setauthsize() already rejects explicit +non-zero authsizes in the range 1..3, crypto_authenc_esn_create() +still copied auth->digestsize into inst->alg.maxauthsize without +validating it. The AEAD core then initialized the tfm's default +authsize from that value. + +As a result, selecting an ahash with digest size 1..3, such as +cbcmac(cipher_null), exposed authencesn instances whose default +authsize was invalid even though setauthsize() would have rejected the +same value. AF_ALG could then trigger the ESN tail handling with a +too-short tag and hit an out-of-bounds access. + +Reject authencesn instances whose ahash digest size is in the invalid +non-zero range 1..3 so that no tfm can inherit an unsupported default +authsize. + +Fixes: f15f05b0a5de ("crypto: ccm - switch to separate cbcmac driver") +Cc: stable@kernel.org +Reported-by: Yifan Wu +Reported-by: Juefei Pu +Co-developed-by: Yuan Tan +Signed-off-by: Yuan Tan +Suggested-by: Xin Liu +Tested-by: Yuhang Zheng +Reviewed-by: Eric Biggers +Signed-off-by: Yucheng Lu +Signed-off-by: Ren Wei +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + crypto/authencesn.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/crypto/authencesn.c ++++ b/crypto/authencesn.c +@@ -390,6 +390,11 @@ static int crypto_authenc_esn_create(str + auth = crypto_spawn_ahash_alg(&ctx->auth); + auth_base = &auth->base; + ++ if (auth->digestsize > 0 && auth->digestsize < 4) { ++ err = -EINVAL; ++ goto err_free_inst; ++ } ++ + err = crypto_grab_skcipher(&ctx->enc, aead_crypto_instance(inst), + crypto_attr_alg_name(tb[2]), 0, mask); + if (err) diff --git a/queue-6.12/net-bonding-fix-use-after-free-in-bond_xmit_broadcast.patch b/queue-6.12/net-bonding-fix-use-after-free-in-bond_xmit_broadcast.patch new file mode 100644 index 0000000000..12029e3fde --- /dev/null +++ b/queue-6.12/net-bonding-fix-use-after-free-in-bond_xmit_broadcast.patch @@ -0,0 +1,109 @@ +From 2884bf72fb8f03409e423397319205de48adca16 Mon Sep 17 00:00:00 2001 +From: Xiang Mei +Date: Thu, 26 Mar 2026 00:55:53 -0700 +Subject: net: bonding: fix use-after-free in bond_xmit_broadcast() + +From: Xiang Mei + +commit 2884bf72fb8f03409e423397319205de48adca16 upstream. + +bond_xmit_broadcast() reuses the original skb for the last slave +(determined by bond_is_last_slave()) and clones it for others. +Concurrent slave enslave/release can mutate the slave list during +RCU-protected iteration, changing which slave is "last" mid-loop. +This causes the original skb to be double-consumed (double-freed). + +Replace the racy bond_is_last_slave() check with a simple index +comparison (i + 1 == slaves_count) against the pre-snapshot slave +count taken via READ_ONCE() before the loop. This preserves the +zero-copy optimization for the last slave while making the "last" +determination stable against concurrent list mutations. + +The UAF can trigger the following crash: + +================================================================== +BUG: KASAN: slab-use-after-free in skb_clone +Read of size 8 at addr ffff888100ef8d40 by task exploit/147 + +CPU: 1 UID: 0 PID: 147 Comm: exploit Not tainted 7.0.0-rc3+ #4 PREEMPTLAZY +Call Trace: + + dump_stack_lvl (lib/dump_stack.c:123) + print_report (mm/kasan/report.c:379 mm/kasan/report.c:482) + kasan_report (mm/kasan/report.c:597) + skb_clone (include/linux/skbuff.h:1724 include/linux/skbuff.h:1792 include/linux/skbuff.h:3396 net/core/skbuff.c:2108) + bond_xmit_broadcast (drivers/net/bonding/bond_main.c:5334) + bond_start_xmit (drivers/net/bonding/bond_main.c:5567 drivers/net/bonding/bond_main.c:5593) + dev_hard_start_xmit (include/linux/netdevice.h:5325 include/linux/netdevice.h:5334 net/core/dev.c:3871 net/core/dev.c:3887) + __dev_queue_xmit (include/linux/netdevice.h:3601 net/core/dev.c:4838) + ip6_finish_output2 (include/net/neighbour.h:540 include/net/neighbour.h:554 net/ipv6/ip6_output.c:136) + ip6_finish_output (net/ipv6/ip6_output.c:208 net/ipv6/ip6_output.c:219) + ip6_output (net/ipv6/ip6_output.c:250) + ip6_send_skb (net/ipv6/ip6_output.c:1985) + udp_v6_send_skb (net/ipv6/udp.c:1442) + udpv6_sendmsg (net/ipv6/udp.c:1733) + __sys_sendto (net/socket.c:730 net/socket.c:742 net/socket.c:2206) + __x64_sys_sendto (net/socket.c:2209) + do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) + entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) + + +Allocated by task 147: + +Freed by task 147: + +The buggy address belongs to the object at ffff888100ef8c80 + which belongs to the cache skbuff_head_cache of size 224 +The buggy address is located 192 bytes inside of + freed 224-byte region [ffff888100ef8c80, ffff888100ef8d60) + +Memory state around the buggy address: + ffff888100ef8c00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc + ffff888100ef8c80: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff888100ef8d00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc + ^ + ffff888100ef8d80: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb + ffff888100ef8e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Fixes: 4e5bd03ae346 ("net: bonding: fix bond_xmit_broadcast return value error bug") +Reported-by: Weiming Shi +Signed-off-by: Xiang Mei +Link: https://patch.msgid.link/20260326075553.3960562-1-xmei5@asu.edu +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +Signed-off-by: Kevin Berry +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -5322,18 +5322,22 @@ static netdev_tx_t bond_xmit_broadcast(s + struct net_device *bond_dev) + { + struct bonding *bond = netdev_priv(bond_dev); +- struct slave *slave = NULL; +- struct list_head *iter; ++ struct bond_up_slave *slaves; + bool xmit_suc = false; + bool skb_used = false; ++ int slaves_count, i; + +- bond_for_each_slave_rcu(bond, slave, iter) { ++ slaves = rcu_dereference(bond->all_slaves); ++ ++ slaves_count = slaves ? READ_ONCE(slaves->count) : 0; ++ for (i = 0; i < slaves_count; i++) { ++ struct slave *slave = slaves->arr[i]; + struct sk_buff *skb2; + + if (!(bond_slave_is_up(slave) && slave->link == BOND_LINK_UP)) + continue; + +- if (bond_is_last_slave(bond, slave)) { ++ if (i + 1 == slaves_count) { + skb2 = skb; + skb_used = true; + } else { diff --git a/queue-6.12/series b/queue-6.12/series index 772b65dae8..6391f9306c 100644 --- a/queue-6.12/series +++ b/queue-6.12/series @@ -202,3 +202,5 @@ net-mctp-fix-don-t-require-received-header-reserved-bits-to-be-zero.patch net-qrtr-ns-limit-the-total-number-of-nodes.patch spi-fix-resource-leaks-on-device-setup-failure.patch mm-prevent-droppable-mappings-from-being-locked.patch +crypto-authencesn-reject-short-ahash-digests-during-instance-creation.patch +net-bonding-fix-use-after-free-in-bond_xmit_broadcast.patch