CVE-2023-53599

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> crypto: af_alg - Fix missing initialisation affecting gcm-aes-s390<br /> <br /> Fix af_alg_alloc_areq() to initialise areq-&gt;first_rsgl.sgl.sgt.sgl to point<br /> to the scatterlist array in areq-&gt;first_rsgl.sgl.sgl.<br /> <br /> Without this, the gcm-aes-s390 driver will oops when it tries to do<br /> gcm_walk_start() on req-&gt;dst because req-&gt;dst is set to the value of<br /> areq-&gt;first_rsgl.sgl.sgl by _aead_recvmsg() calling<br /> aead_request_set_crypt().<br /> <br /> The problem comes if an empty ciphertext is passed: the loop in<br /> af_alg_get_rsgl() just passes straight out and doesn&amp;#39;t set areq-&gt;first_rsgl<br /> up.<br /> <br /> This isn&amp;#39;t a problem on x86_64 using gcmaes_crypt_by_sg() because, as far<br /> as I can tell, that ignores req-&gt;dst and only uses req-&gt;src[*].<br /> <br /> [*] Is this a bug in aesni-intel_glue.c?<br /> <br /> The s390x oops looks something like:<br /> <br /> Unable to handle kernel pointer dereference in virtual kernel address space<br /> Failing address: 0000000a00000000 TEID: 0000000a00000803<br /> Fault in home space mode while using kernel ASCE.<br /> AS:00000000a43a0007 R3:0000000000000024<br /> Oops: 003b ilc:2 [#1] SMP<br /> ...<br /> Call Trace:<br /> [] gcm_walk_start+0x16/0x28 [aes_s390]<br /> [] crypto_aead_decrypt+0x9a/0xb8<br /> [] aead_recvmsg+0x478/0x698<br /> [] sock_recvmsg+0x70/0xb0<br /> [] sock_read_iter+0x76/0xa0<br /> [] vfs_read+0x26e/0x2a8<br /> [] ksys_read+0xbc/0x100<br /> [] __do_syscall+0x1d0/0x1f8<br /> [] system_call+0x70/0x98<br /> Last Breaking-Event-Address:<br /> [] gcm_aes_crypt+0x104/0xa68 [aes_s390]