[PATCH AUTOSEL 6.18] crypto: algif_aead - Fix minimum RX size check for decryption

Next message: Sasha Levin: "[PATCH AUTOSEL 7.0-6.19] sched/eevdf: Clear buddies for preempt_short"
Previous message: Sasha Levin: "[PATCH AUTOSEL 7.0-6.1] orangefs_readahead: don't overflow the bufmap slot."
In reply to: Sasha Levin: "[PATCH AUTOSEL 7.0-6.1] orangefs_readahead: don't overflow the bufmap slot."
Next in thread: Sasha Levin: "[PATCH AUTOSEL 7.0-6.19] sched/eevdf: Clear buddies for preempt_short"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sasha Levin

Date: Mon Apr 20 2026 - 09:55:26 EST

From: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>

[ Upstream commit 3d14bd48e3a77091cbce637a12c2ae31b4a1687c ]

The check for the minimum receive buffer size did not take the
tag size into account during decryption. Fix this by adding the
required extra length.

Reported-by: syzbot+aa11561819dc42ebbc7c@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: Daniel Pouzzner <douzzer@xxxxxxx>
Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management")
Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
---

LLM Generated explanations, may be completely bogus:

Error: Failed to generate final synthesis

crypto/algif_aead.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index dda15bb05e892..f8bd45f7dc839 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -144,7 +144,7 @@ static int _aead_recvmsg(struct socket *sock, struct msghdr *msg,
if (usedpages < outlen) {
size_t less = outlen - usedpages;

- if (used < less) {
+ if (used < less + (ctx->enc ? 0 : as)) {
err = -EINVAL;
goto free;
}
--
2.53.0