Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix RxGK token loading to check bounds rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length from the XDR token as u32 values and passes each through round_up(x, 4) before using the rounded value for validation and allocation. When the raw length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and kzalloc both use 0 while the subsequent memcpy still copies the original ~4 GiB value, producing a heap buffer overflow reachable from an unprivileged add_key() call. Fix this by: (1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX. (2) Sizing the flexible-array allocation from the validated raw key length via struct_size_t() instead of the rounded value. (3) Caching the raw lengths so that the later field assignments and memcpy calls do not re-read from the token, eliminating a class of TOCTOU re-parse. The control path (valid token with lengths within bounds) is unaffected.
Product status
0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 (git) before 3e04596cba8a86cbff9c3f4bf0a524a3a488773c
0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 (git) before 49875b360c2b83a3c226e189c502e501d83e6445
0ca100ff4df64f5d0f6c1dd5080c3e096786bea6 (git) before d179a868dd755b0cfcf7582e00943d702b9943b8
6.16
Any version before 6.16
6.18.23 (semver)
6.19.13 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/3e04596cba8a86cbff9c3f4bf0a524a3a488773c
git.kernel.org/...c/49875b360c2b83a3c226e189c502e501d83e6445
git.kernel.org/...c/d179a868dd755b0cfcf7582e00943d702b9943b8