1c4b37fda000c09fb986f28b1dcc4a063cfe47bc - third_party/kernel

commit	1c4b37fda000c09fb986f28b1dcc4a063cfe47bc	[log] [tgz]
author	Taeyang Lee <0wn@theori.io>	Fri Jan 16 16:03:58 2026 +0900
committer	Kevin Berry <kpberry@google.com>	Wed Jan 28 00:49:19 2026 -0800
tree	356b3226418ec457da4ac2dfa3c3bdeaefbcd3f2
parent	c49abe872b60136ca574a42d940ac9976373de6b [diff]

crypto: authencesn - reject too-short AAD (assoclen<8) to match ESP/ESN spec

authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than
the minimum expected length, crypto_authenc_esn_decrypt() can advance past
the end of the destination scatterlist and trigger a NULL pointer dereference
in scatterwalk_map_and_copy(), leading to a kernel panic (DoS).

Add a minimum AAD length check to fail fast on invalid inputs.

BUG=b/478783196
TEST=presubmit
RELEASE_NOTE=Fixed KCTF-2397e92 in the Linux kernel.

Fixes: 104880a6b470 ("crypto: authencesn - Convert to new AEAD interface")
Reported-By: Taeyang Lee <0wn@theori.io>
Signed-off-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Change-Id: I8b632b28d5badd79f504abc3d487878de7ec7c5f
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/127443
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Miri Amarilio <mirilio@google.com>

crypto/authencesn.c[diff]

1 file changed

tree: 356b3226418ec457da4ac2dfa3c3bdeaefbcd3f2