Skip to content

Commit 8928de9

Browse files
author
CKI KWF Bot
committed
Merge: CVE-2023-53494: crypto: xts - Handle EBUSY correctly
MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7447 JIRA: https://issues.redhat.com/browse/RHEL-119237 CVE: CVE-2023-53494 ``` commit 51c0825 Author: Herbert Xu <herbert@gondor.apana.org.au> Date: Sun Jan 22 16:07:37 2023 +0800 crypto: xts - Handle EBUSY correctly As it is xts only handles the special return value of EINPROGRESS, which means that in all other cases it will free data related to the request. However, as the caller of xts may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in the same way. Otherwise backlogged requests will trigger a use-after-free. Fixes: 8083b1b ("crypto: xts - add support for ciphertext stealing") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> ``` Signed-off-by: CKI Backport Bot <cki-ci-bot+cki-gitlab-backport-bot@redhat.com> --- <small>Created 2025-10-03 16:31 UTC by backporter - [KWF FAQ](https://red.ht/kernel_workflow_doc) - [Slack #team-kernel-workflow](https://redhat-internal.slack.com/archives/C04LRUPMJQ5) - [Source](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/webhook/utils/backporter.py) - [Documentation](https://gitlab.com/cki-project/kernel-workflow/-/blob/main/docs/README.backporter.md) - [Report an issue](https://issues.redhat.com/secure/CreateIssueDetails!init.jspa?pid=12334433&issuetype=1&priority=4&summary=backporter+webhook+issue&components=kernel-workflow+/+backporter)</small> Approved-by: Herbert Xu <zxu@redhat.com> Approved-by: Ondrej Mosnáček <omosnacek@gmail.com> Approved-by: Vladis Dronov <vdronov@redhat.com> Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com> Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>
2 parents db4632c + 615abad commit 8928de9

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

crypto/xts.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -203,12 +203,12 @@ static void xts_encrypt_done(struct crypto_async_request *areq, int err)
203203
if (!err) {
204204
struct xts_request_ctx *rctx = skcipher_request_ctx(req);
205205

206-
rctx->subreq.base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
206+
rctx->subreq.base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
207207
err = xts_xor_tweak_post(req, true);
208208

209209
if (!err && unlikely(req->cryptlen % XTS_BLOCK_SIZE)) {
210210
err = xts_cts_final(req, crypto_skcipher_encrypt);
211-
if (err == -EINPROGRESS)
211+
if (err == -EINPROGRESS || err == -EBUSY)
212212
return;
213213
}
214214
}
@@ -223,12 +223,12 @@ static void xts_decrypt_done(struct crypto_async_request *areq, int err)
223223
if (!err) {
224224
struct xts_request_ctx *rctx = skcipher_request_ctx(req);
225225

226-
rctx->subreq.base.flags &= ~CRYPTO_TFM_REQ_MAY_SLEEP;
226+
rctx->subreq.base.flags &= CRYPTO_TFM_REQ_MAY_BACKLOG;
227227
err = xts_xor_tweak_post(req, false);
228228

229229
if (!err && unlikely(req->cryptlen % XTS_BLOCK_SIZE)) {
230230
err = xts_cts_final(req, crypto_skcipher_decrypt);
231-
if (err == -EINPROGRESS)
231+
if (err == -EINPROGRESS || err == -EBUSY)
232232
return;
233233
}
234234
}

0 commit comments

Comments
 (0)