diff options
| author | Norbert Szetei <norbert@doyensec.com> | 2026-03-25 18:26:13 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2026-04-11 14:26:20 +0200 |
| commit | 00cbdec17c15d024a1c5002c7365df7624a18a75 (patch) | |
| tree | edd2bba7379b04fe8b1c15945a7fb2fa0e2ccdd2 /drivers/net | |
| parent | 83622e52431ebf8317dc36003ab5a1a311b19da2 (diff) | |
| download | linux-00cbdec17c15d024a1c5002c7365df7624a18a75.tar.gz linux-00cbdec17c15d024a1c5002c7365df7624a18a75.tar.bz2 linux-00cbdec17c15d024a1c5002c7365df7624a18a75.zip | |
crypto: af-alg - fix NULL pointer dereference in scatterwalk
[ Upstream commit 62397b493e14107ae82d8b80938f293d95425bcb ]
The AF_ALG interface fails to unmark the end of a Scatter/Gather List (SGL)
when chaining a new af_alg_tsgl structure. If a sendmsg() fills an SGL
exactly to MAX_SGL_ENTS, the last entry is marked as the end. A subsequent
sendmsg() allocates a new SGL and chains it, but fails to clear the end
marker on the previous SGL's last data entry.
This causes the crypto scatterwalk to hit a premature end, returning NULL
on sg_next() and leading to a kernel panic during dereference.
Fix this by explicitly unmarking the end of the previous SGL when
performing sg_chain() in af_alg_alloc_tsgl().
Fixes: 8ff590903d5f ("crypto: algif_skcipher - User-space interface for skcipher operations")
Signed-off-by: Norbert Szetei <norbert@doyensec.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/net')
0 files changed, 0 insertions, 0 deletions