common/SPECS/linux/v6.12: Backport CVE-2026-31431 (algif_aead Copy.Fail)#1649
Open
dcasota wants to merge 1 commit intovmware:commonfrom
Open
common/SPECS/linux/v6.12: Backport CVE-2026-31431 (algif_aead Copy.Fail)#1649dcasota wants to merge 1 commit intovmware:commonfrom
dcasota wants to merge 1 commit intovmware:commonfrom
Conversation
[ Upstream commit a664bf3d603d ]
This mostly reverts upstream commit 72548b093ee3 ("crypto: algif_aead -
copy AAD from src to dst") except for the copying of the associated
data. The Photon common-branch v6.12 kernel ships 6.12.78-stable,
which predates mainline's move to memcpy_sglist(), so the upstream
patch (a664bf3d603d) does not apply directly.
Backport rewrites _aead_recvmsg to:
- Always allocate areq->tsgl via af_alg_count_tsgl(sk, processed)
and pull the entire processed range into it.
- Copy AAD from areq->tsgl into the RX SGL via
crypto_aead_copy_sgl(null_tfm, ...) (kept from 6.12.x stable in
lieu of memcpy_sglist()).
- Pass tsgl_src (== areq->tsgl) as the crypto source so the AEAD
operation runs out-of-place; the in-place sg_chain() of the tag
onto the destination SGL is removed.
- Drop the now-unused offset / dst_offset parameters from
af_alg_count_tsgl()/af_alg_pull_tsgl() and update all call sites
(crypto/algif_skcipher.c, crypto/algif_aead.c,
include/crypto/if_alg.h).
Validated by applying the patch to a pristine v6.12.78 stable tree.
Specs touched:
SPECS/linux/v6.12/linux.spec Release 4 -> 5
SPECS/linux/v6.12/linux-esx.spec Release 3 -> 4
Change-Id: Ia1f0ec18a3362d3ce91169a79028f16a460d7dbd
CVE: CVE-2026-31431
Fixes: 72548b093ee3 ("crypto: algif_aead - copy AAD from src to dst")
Assisted-by: claude-opus-4-7 [via Claude Code]
This was referenced May 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backport of upstream Linux commit
a664bf3d603d("crypto: algif_aead - Revert to operating out-of-place") to the 6.12.78 kernel shipped inSPECS/linux/v6.12/on thecommonbranch (active whenphoton_subrelease ≥ 92).Fixes CVE-2026-31431 — the "Copy.Fail" in-place AEAD bug. The mainline patch does not apply directly because 6.12.x stable predates
memcpy_sglist().What changed
SPECS/linux/v6.12/CVE/0001-crypto-algif_aead-CVE-2026-31431-Revert-to-out-of-place.patchSPECS/linux/v6.12/linux.specRelease 4 → 5SPECS/linux/v6.12/linux-esx.specRelease 3 → 4Test plan
linux-6.12.78.tar.xz(4 files patched, 0 fuzz, 0 rejects)We will update this PR with the latest test plan progress.
Compliance with kernel
Documentation/process/coding-assistants.rstAssisted-by: claude-opus-4-7 [via Claude Code]in commit body and patch trailer.Signed-off-by: Herbert Xupreserved.Signed-off-by:from the assistant. Submitter (dcasota) will add their SoB before merge.Related
5.0/SPECS/91/linux);common/SPECS/linux/v6.1(separate PR)🤖 Generated with Claude Code