[SRU][J/N/P][PATCH 0/2] CVE-2025-39964

[Ian Whitfield]

[Impact]

crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

Issuing two writes to the same af_alg socket is bogus as the
data will be interleaved in an unpredictable fashion.  Furthermore,
concurrent writes may create inconsistencies in the internal
socket state.

Disallow this by adding a new ctx->write field that indiciates
exclusive ownership for writing.

[Backport]

The fix commit for this CVE has a follow-up to address a bug in the fix commit.
Both commits cherry-picked cleanly, the same .patch files can be used for Jammy,
Noble, and Plucky. Questing was already fixed.

[Fix]

Questing: Not affected
Plucky:   Cherry pick fix + follow-up
Noble:    Cherry pick fix + follow-up
Jammy:    Cherry pick fix + follow-up
Focal:    Sent to ESM ML
Bionic:   Sent to ESM ML
Xenial:   Sent to ESM ML
Trusty:   Ignored, not a critical CVE

[Test Case]

Compile and boot tested.

[Where problems could occur]

This fix affects those who use the user space interface to the kernel's crypto
algorithms (CONFIG_CRYPTO_USER_API enabled). An issue with this fix would be
visible to the user as race conditions or lockups when sending messages to the
kernel's cryptography interface.

Eric Biggers (1):
  crypto: af_alg - Fix incorrect boolean values in af_alg_ctx

Herbert Xu (1):
  crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg

 crypto/af_alg.c         |  7 +++++++
 include/crypto/if_alg.h | 10 ++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

-- 
2.43.0