Description
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix missing validation of ticket length in non-XDR key preparsing In rxrpc_preparse(), there are two paths for parsing key payloads: the XDR path (for large payloads) and the non-XDR path (for payloads <= 28 bytes). While the XDR path (rxrpc_preparse_xdr_rxkad()) correctly validates the ticket length against AFSTOKEN_RK_TIX_MAX, the non-XDR path fails to do so. This allows an unprivileged user to provide a very large ticket length. When this key is later read via rxrpc_read(), the total token size (toksize) calculation results in a value that exceeds AFSTOKEN_LENGTH_MAX, triggering a WARN_ON(). [ 2001.302904] WARNING: CPU: 2 PID: 2108 at net/rxrpc/key.c:778 rxrpc_read+0x109/0x5c0 [rxrpc] Fix this by adding a check in the non-XDR parsing path of rxrpc_preparse() to ensure the ticket length does not exceed AFSTOKEN_RK_TIX_MAX, bringing it into parity with the XDR parsing logic.
Product status
8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 (git) before 1fa36cf495b0023e8475d038535c05e4063211e1
8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 (git) before 4458757c020592a3094366e0fb20457383b42f92
8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 (git) before ce383ba615339f8eaec646a166d2c2b015bb5ca0
8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 (git) before a1be1c9ece26cea69654f28b255ff9a7906b897b
8a7a3eb4ddbe7c7e639170a64adede7cbd5a9247 (git) before ac33733b10b484d666f97688561670afd5861383
3.17
Any version before 3.17
6.6.136 (semver)
6.12.84 (semver)
6.18.25 (semver)
7.0.2 (semver)
7.1-rc1 (original_commit_for_fix)
References
git.kernel.org/...c/1fa36cf495b0023e8475d038535c05e4063211e1
git.kernel.org/...c/4458757c020592a3094366e0fb20457383b42f92
git.kernel.org/...c/ce383ba615339f8eaec646a166d2c2b015bb5ca0
git.kernel.org/...c/a1be1c9ece26cea69654f28b255ff9a7906b897b
git.kernel.org/...c/ac33733b10b484d666f97688561670afd5861383