| commit | 5ee1685d45ceceb19bdc81e90ae4e54c24ab561a | [log] [tgz] |
|---|---|---|
| author | Herbert Xu <[email protected]> | Tue Sep 16 15:42:41 2025 +0800 |
| committer | Miri Amarilio <[email protected]> | Thu Oct 09 15:36:30 2025 -0700 |
| tree | f4334fcbd3d8c74a44500a795820467397a55adc | |
| parent | 3aec179b967002643503bb727eb52c1b7e9b35ec [diff] |
crypto: af_alg - Set merge to zero early in af_alg_sendmsg
[ Upstream commit 9574b2330dbd2b5459b74d3b5e9619d39299fc6f ]
If an error causes af_alg_sendmsg to abort, ctx->merge may contain
a garbage value from the previous loop. This may then trigger a
crash on the next entry into af_alg_sendmsg when it attempts to do
a merge that can't be done.
Fix this by setting ctx->merge to zero near the start of the loop.
BUG=b/449343051
TEST=presubmit
RELEASE_NOTE=Fixed CVE-2025-39931 in the Linux kernel.
Fixes: 8ff590903d5 ("crypto: algif_skcipher - User-space interface for skcipher operations")
Reported-by: Muhammad Alifa Ramdhan <[email protected]>
Reported-by: Bing-Jhong Billy Jheng <[email protected]>
Change-Id: I027370d624d220be5e0f612d32f887fa3afebb08
Signed-off-by: Herbert Xu <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/113670
Reviewed-by: Kevin Berry <[email protected]>
Main-Branch-Verified: Cusky Presubmit Bot <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>
Signed-off-by: Miri Amarilio <[email protected]>
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/113801
