From a0aae5114671be7c67de5a4e1bf73fa60aca036a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 2 Jul 2026 10:37:37 +0200 Subject: [PATCH] 5.15-stable patches added patches: mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch --- ...-skb_cow_data-before-in-place-crypto.patch | 98 +++++++++++++++++++ queue-5.15/series | 1 + 2 files changed, 99 insertions(+) create mode 100644 queue-5.15/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch diff --git a/queue-5.15/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch b/queue-5.15/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch new file mode 100644 index 0000000000..8182e52939 --- /dev/null +++ b/queue-5.15/mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch @@ -0,0 +1,98 @@ +From 84a04eb5b210643bd67aab81ff805d32f62aa865 Mon Sep 17 00:00:00 2001 +From: Doruk Tan Ozturk +Date: Tue, 26 May 2026 20:37:26 +0200 +Subject: mac802154: llsec: add skb_cow_data() before in-place crypto + +From: Doruk Tan Ozturk + +commit 84a04eb5b210643bd67aab81ff805d32f62aa865 upstream. + +llsec_do_encrypt_unauth(), llsec_do_encrypt_auth(), +llsec_do_decrypt_unauth(), and llsec_do_decrypt_auth() all perform +in-place cryptographic transformations on skb data. They build a +scatterlist with sg_init_one() pointing into the skb's linear data area +and then pass the same scatterlist as both src and dst to the crypto API +(e.g. crypto_skcipher_encrypt/decrypt, crypto_aead_encrypt/decrypt). + +On the RX path, __ieee802154_rx_handle_packet() clones the received skb +before handing it to each subscriber via ieee802154_subif_frame(). The +cloned skb shares the same underlying data buffer via reference +counting. When llsec_do_decrypt() subsequently modifies this shared +buffer in place, it corrupts data that other clones -- potentially +belonging to other sockets or subsystems -- still reference. + +On the TX path, similar data sharing can occur when an skb's head has +been cloned (skb_cloned() returns true). + +The fix is to call skb_cow_data() before performing any in-place crypto +operation. skb_cow_data() ensures that the skb's data area is not +shared: if the skb head is cloned or the data spans multiple fragments, +it copies the data into a private buffer that can be safely modified in +place. This is the same pattern used by: + + - ESP (net/ipv4/esp4.c, net/ipv6/esp6.c) + - MACsec (drivers/net/macsec.c) + - WireGuard (drivers/net/wireguard/receive.c) + - TIPC (net/tipc/crypto.c) + +Without this guard, in-place crypto on shared skb data leads to: + - Silent data corruption of other skb clones + - Use-after-free when the crypto API scatterwalk writes through a + page that has already been freed by another clone's kfree_skb() + - Kernel crashes under concurrent 802.15.4 traffic with security + enabled (KASAN/KMSAN reports slab-use-after-free) + +Found by 0sec (https://0sec.ai) using automated source analysis. + +Fixes: 4c14a2fb5d14 ("mac802154: add llsec decryption method") +Fixes: 03556e4d0dbb ("mac802154: add llsec encryption method") +Cc: stable@vger.kernel.org +Reported-by: Doruk Tan Ozturk +Closes: https://lore.kernel.org/linux-wpan/20260525161806.96158-1-doruk@0sec.ai/ +Reviewed-by: Alexander Lobakin +Signed-off-by: Doruk Tan Ozturk +Closes: +Link: https://lore.kernel.org/20260526183726.56100-1-doruk@0sec.ai +Signed-off-by: Stefan Schmidt +Signed-off-by: Greg Kroah-Hartman +--- + net/mac802154/llsec.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/net/mac802154/llsec.c ++++ b/net/mac802154/llsec.c +@@ -710,6 +710,7 @@ int mac802154_llsec_encrypt(struct mac80 + { + struct ieee802154_hdr hdr; + int rc, authlen, hlen; ++ struct sk_buff *trailer; + struct mac802154_llsec_key *key; + u32 frame_ctr; + +@@ -766,6 +767,12 @@ int mac802154_llsec_encrypt(struct mac80 + skb->mac_len = ieee802154_hdr_push(skb, &hdr); + skb_reset_mac_header(skb); + ++ rc = skb_cow_data(skb, 0, &trailer); ++ if (rc < 0) { ++ llsec_key_put(key); ++ return rc; ++ } ++ + rc = llsec_do_encrypt(skb, sec, &hdr, key); + llsec_key_put(key); + +@@ -905,6 +912,13 @@ llsec_do_decrypt(struct sk_buff *skb, co + const struct ieee802154_hdr *hdr, + struct mac802154_llsec_key *key, __le64 dev_addr) + { ++ struct sk_buff *trailer; ++ int err; ++ ++ err = skb_cow_data(skb, 0, &trailer); ++ if (err < 0) ++ return err; ++ + if (hdr->sec.level == IEEE802154_SCF_SECLEVEL_ENC) + return llsec_do_decrypt_unauth(skb, sec, hdr, key, dev_addr); + else diff --git a/queue-5.15/series b/queue-5.15/series index 9ca13f6dd0..6309f81f9b 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -54,3 +54,4 @@ ring-buffer-remove-ring_buffer_read_prepare_sync.patch ntfs3-reject-direct-userspace-writes-to-reserved-lx-xattrs.patch ext4-add-bounds-check-for-inline-data-length-in-ext4.patch crypto-af_alg-set-merge-to-zero-early-in-af_alg_send.patch +mac802154-llsec-add-skb_cow_data-before-in-place-crypto.patch -- 2.47.3