Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Stanislav reported that in bpf_crypto_crypt() the destination dynptr's size is not validated to be at least as large as the source dynptr's size before calling into the crypto backend with 'len = src_len'. This can result in an OOB write when the destination is smaller than the source. Concretely, in mentioned function, psrc and pdst are both linear buffers fetched from each dynptr: psrc = __bpf_dynptr_data(src, src_len); [...] pdst = __bpf_dynptr_data_rw(dst, dst_len); [...] err = decrypt ? ctx->type->decrypt(ctx->tfm, psrc, pdst, src_len, piv) : ctx->type->encrypt(ctx->tfm, psrc, pdst, src_len, piv); The crypto backend expects pdst to be large enough with a src_len length that can be written. Add an additional src_len > dst_len check and bail out if it's the case. Note that these kfuncs are accessible under root privileges only.
Product status
3e1c6f35409f9e447bf37f64840f5b65576bfb78 before 0126358df12d6f476f79251d9c398ac5c1b3062d
3e1c6f35409f9e447bf37f64840f5b65576bfb78 before c4be24ef0510c146dca4671effb127e97631534b
3e1c6f35409f9e447bf37f64840f5b65576bfb78 before f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14
6.10
Any version before 6.10
6.12.48
6.16.8
6.17
References
git.kernel.org/...c/0126358df12d6f476f79251d9c398ac5c1b3062d
git.kernel.org/...c/c4be24ef0510c146dca4671effb127e97631534b
git.kernel.org/...c/f9bb6ffa7f5ad0f8ee0f53fc4a10655872ee4a14
