git-server-git.apps.pok.os.sepia.ceph.com Git

author	Oleh Konko <security@1seal.org>
	Wed, 8 Apr 2026 12:12:33 +0000 (13:12 +0100)
committer	Jakub Kicinski <kuba@kernel.org>
	Thu, 9 Apr 2026 01:44:32 +0000 (18:44 -0700)
commit	d179a868dd755b0cfcf7582e00943d702b9943b8
tree	9be41ad98b280539d8955d3927247d42441e2a58	tree \| snapshot
parent	146d4ab94cf129ee06cd467cb5c71368a6b5bad6	commit \| diff

rxrpc: Fix RxGK token loading to check bounds

rxrpc_preparse_xdr_yfs_rxgk() reads the raw key length and ticket length
from the XDR token as u32 values and passes each through round_up(x, 4)
before using the rounded value for validation and allocation.  When the raw
length is >= 0xfffffffd, round_up() wraps to 0, so the bounds check and
kzalloc both use 0 while the subsequent memcpy still copies the original
~4 GiB value, producing a heap buffer overflow reachable from an
unprivileged add_key() call.

Fix this by:

(1) Rejecting raw key lengths above AFSTOKEN_GK_KEY_MAX and raw ticket
     lengths above AFSTOKEN_GK_TOKEN_MAX before rounding, consistent with
     the caps that the RxKAD path already enforces via AFSTOKEN_RK_TIX_MAX.

(2) Sizing the flexible-array allocation from the validated raw key
     length via struct_size_t() instead of the rounded value.

(3) Caching the raw lengths so that the later field assignments and
     memcpy calls do not re-read from the token, eliminating a class of
     TOCTOU re-parse.

The control path (valid token with lengths within bounds) is unaffected.

Fixes: 0ca100ff4df6 ("rxrpc: Add YFS RxGK (GSSAPI) security class")
Signed-off-by: Oleh Konko <security@1seal.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-6-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>