Patch "rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()" has been added to the 6.18-stable tree
gregkh at linuxfoundation.org
gregkh at linuxfoundation.org
Mon Apr 13 05:39:04 PDT 2026
This is a note to let you know that I've just added the patch titled
rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()
to the 6.18-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch
and it can be found in the queue-6.18 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.
>From f564af387c8c28238f8ebc13314c589d7ba8475d Mon Sep 17 00:00:00 2001
From: David Howells <dhowells at redhat.com>
Date: Wed, 8 Apr 2026 13:12:47 +0100
Subject: rxrpc: Fix buffer overread in rxgk_do_verify_authenticator()
From: David Howells <dhowells at redhat.com>
commit f564af387c8c28238f8ebc13314c589d7ba8475d upstream.
Fix rxgk_do_verify_authenticator() to check the buffer size before checking
the nonce.
Fixes: 9d1d2b59341f ("rxrpc: rxgk: Implement the yfs-rxgk security class (GSSAPI)")
Closes: https://sashiko.dev/#/patchset/20260401105614.1696001-10-dhowells@redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-20-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
net/rxrpc/rxgk.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/rxrpc/rxgk.c
+++ b/net/rxrpc/rxgk.c
@@ -1085,6 +1085,9 @@ static int rxgk_do_verify_authenticator(
_enter("");
+ if ((end - p) * sizeof(__be32) < 24)
+ return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
+ rxgk_abort_resp_short_auth);
if (memcmp(p, conn->rxgk.nonce, 20) != 0)
return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
rxgk_abort_resp_bad_nonce);
@@ -1098,7 +1101,7 @@ static int rxgk_do_verify_authenticator(
p += xdr_round_up(app_len) / sizeof(__be32);
if (end - p < 4)
return rxrpc_abort_conn(conn, skb, RXGK_NOTAUTH, -EPROTO,
- rxgk_abort_resp_short_applen);
+ rxgk_abort_resp_short_auth);
level = ntohl(*p++);
epoch = ntohl(*p++);
Patches currently in stable-queue which might be from dhowells at redhat.com are
queue-6.18/rxrpc-fix-rxgk-token-loading-to-check-bounds.patch
queue-6.18/rxrpc-only-put-the-call-ref-if-one-was-acquired.patch
queue-6.18/rxrpc-proc-size-address-buffers-for-pispc-output.patch
queue-6.18/rxrpc-fix-buffer-overread-in-rxgk_do_verify_authenticator.patch
queue-6.18/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-6.18/rxrpc-fix-missing-error-checks-for-rxkad-encryption-decryption-failure.patch
queue-6.18/rxrpc-fix-use-of-wrong-skb-when-comparing-queued-resp-challenge-serial.patch
queue-6.18/rxrpc-fix-integer-overflow-in-rxgk_verify_response.patch
queue-6.18/rxrpc-fix-reference-count-leak-in-rxrpc_server_keyring.patch
queue-6.18/rxrpc-fix-key-reference-count-leak-from-call-key.patch
queue-6.18/rxrpc-fix-leak-of-rxgk-context-in-rxgk_verify_response.patch
queue-6.18/rxrpc-fix-anonymous-key-handling.patch
queue-6.18/rxrpc-fix-to-request-an-ack-if-window-is-limited.patch
queue-6.18/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-6.18/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-6.18/mm-filemap-fix-nr_pages-calculation-overflow-in-filemap_map_pages.patch
queue-6.18/rxrpc-fix-key-parsing-memleak.patch
queue-6.18/rxrpc-fix-rack-timer-warning-to-report-unexpected-mode.patch
queue-6.18/rxrpc-fix-response-authenticator-parser-oob-read.patch
queue-6.18/rxrpc-fix-key-keyring-checks-in-setsockopt-rxrpc_security_key-keyring.patch
queue-6.18/rxrpc-fix-oversized-response-authenticator-length-check.patch
queue-6.18/rxrpc-only-handle-response-during-service-challenge.patch
More information about the linux-afs
mailing list