On Sat, Jun 20, 2026 at 09:44:21PM -0500, Bryam Vargas via B4 Relay wrote:
> From: Bryam Vargas <[email protected]>
>
> length
some kind of corruption here.
> virtio_crypto_dataq_akcipher_callback() sets the result length from the
> device-reported response length without bounding it to the destination
> buffer, which was allocated for the original request length.
> sg_copy_from_buffer() then reads that many bytes from the destination
> buffer; a backend reporting a larger length over-reads adjacent kernel
> heap into the caller's scatterlist (an out-of-bounds read).
>
> Clamp the reported length to the originally requested destination length.
> A conforming device reports no more than that, so valid results are
> unaffected.
>
> Fixes: a36bd0ad9fbf ("virtio-crypto: adjust dst_len at ops callback")
> Cc: [email protected]
> Signed-off-by: Bryam Vargas <[email protected]>
> ---
> drivers/crypto/virtio/virtio_crypto_akcipher_algs.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> index d8d452cac391..64ea141f018c 100644
> --- a/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> +++ b/drivers/crypto/virtio/virtio_crypto_akcipher_algs.c
> @@ -88,7 +88,8 @@ static void virtio_crypto_dataq_akcipher_callback(struct
> virtio_crypto_request *
> }
>
> /* actual length may be less than dst buffer */
> - akcipher_req->dst_len = len - sizeof(vc_req->status);
> + akcipher_req->dst_len = min_t(unsigned int, len -
> sizeof(vc_req->status),
> + akcipher_req->dst_len);
> sg_copy_from_buffer(akcipher_req->dst, sg_nents(akcipher_req->dst),
> vc_akcipher_req->dst_buf, akcipher_req->dst_len);
> virtio_crypto_akcipher_finalize_req(vc_akcipher_req, akcipher_req,
> error);
>
> ---
> base-commit: 1a3746ccbb0a97bed3c06ccde6b880013b1dddc1
> change-id: 20260620-b4-disp-27caeeac-5b8b67962fdd
>
> Best regards,
> --
> Bryam Vargas <[email protected]>
>
