Hello:
This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@xxxxxxxxxx>:
On Fri, 29 Aug 2025 16:36:56 +0200 you wrote:
> Stanislav reported that in bpf_crypto_crypt() the destination dynptr's
> size is not validated to be at least as large as the source dynptr's
> size before calling into the crypto backend with 'len = src_len'. This
> can result in an OOB write when the destination is smaller than the
> source.
>
> Concretely, in mentioned function, psrc and pdst are both linear
> buffers fetched from each dynptr:
>
> [...]
Here is the summary with links:
- [bpf,1/2] bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt
https://git.kernel.org/bpf/bpf/c/51ae4ca30f11
- [bpf,2/2] selftests/bpf: Extend crypto_sanity selftest with invalid dst buffer
https://git.kernel.org/bpf/bpf/c/5aa00f0e9589
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
