)]}'
{
  "commit": "824daafa5f157963eea76b8fc10de1d2df43be70",
  "tree": "ef645149daabddc9611710a8edf05982ab1b084f",
  "parents": [
    "c12225c7c49fc8d2e8980a2281e0a30a00ee7c48"
  ],
  "author": {
    "name": "YunJe Shin",
    "email": "yjshin0438@gmail.com",
    "time": "Tue Feb 03 19:06:21 2026 +0900"
  },
  "committer": {
    "name": "Miri Amarilio",
    "email": "mirilio@google.com",
    "time": "Fri Mar 20 10:46:30 2026 -0700"
  },
  "message": "RDMA/umad: Reject negative data_len in ib_umad_write\n\ncommit 5551b02fdbfd85a325bb857f3a8f9c9f33397ed2 upstream.\n\nib_umad_write computes data_len from user-controlled count and the\nMAD header sizes. With a mismatched user MAD header size and RMPP\nheader length, data_len can become negative and reach ib_create_send_mad().\nThis can make the padding calculation exceed the segment size and trigger\nan out-of-bounds memset in alloc_send_rmpp_list().\n\nAdd an explicit check to reject negative data_len before creating the\nsend buffer.\n\nKASAN splat:\n[  211.363464] BUG: KASAN: slab-out-of-bounds in ib_create_send_mad+0xa01/0x11b0\n[  211.364077] Write of size 220 at addr ffff88800c3fa1f8 by task spray_thread/102\n[  211.365867] ib_create_send_mad+0xa01/0x11b0\n[  211.365887] ib_umad_write+0x853/0x1c80\n\nBUG\u003db/494186156\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-23243 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: 2be8e3ee8efd (\"IB/umad: Add P_Key index support\")\nChange-Id: I53430ac5e06a532287f9d770e4bf97cbb4bc4649\nSigned-off-by: YunJe Shin \u003cioerts@kookmin.ac.kr\u003e\nLink: https://patch.msgid.link/20260203100628.1215408-1-ioerts@kookmin.ac.kr\nSigned-off-by: Leon Romanovsky \u003cleon@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/139041\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Miri Amarilio \u003cmirilio@google.com\u003e\nReviewed-by: Dom Huh \u003cdomhuh@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "66a0c5a73b832bcb23502ad6b55cd098a1a31947",
      "old_mode": 33188,
      "old_path": "drivers/infiniband/core/user_mad.c",
      "new_id": "03e94ef2d92276c96f65d9f879b99c52e9ad1e75",
      "new_mode": 33188,
      "new_path": "drivers/infiniband/core/user_mad.c"
    }
  ]
}