APPLIED: [SRU][J/N/P][PATCH 0/2] CVE-2025-39964

Stefan Bader stefan.bader at canonical.com
Fri Oct 24 14:45:02 UTC 2025 

On 16/10/2025 00:48, Ian Whitfield wrote:
> [Impact]
> 
> crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
> 
> Issuing two writes to the same af_alg socket is bogus as the
> data will be interleaved in an unpredictable fashion.  Furthermore,
> concurrent writes may create inconsistencies in the internal
> socket state.
> 
> Disallow this by adding a new ctx->write field that indiciates
> exclusive ownership for writing.
> 
> [Backport]
> 
> The fix commit for this CVE has a follow-up to address a bug in the fix commit.
> Both commits cherry-picked cleanly, the same .patch files can be used for Jammy,
> Noble, and Plucky. Questing was already fixed.
> 
> [Fix]
> 
> Questing: Not affected
> Plucky:   Cherry pick fix + follow-up
> Noble:    Cherry pick fix + follow-up
> Jammy:    Cherry pick fix + follow-up
> Focal:    Sent to ESM ML
> Bionic:   Sent to ESM ML
> Xenial:   Sent to ESM ML
> Trusty:   Ignored, not a critical CVE
> 
> [Test Case]
> 
> Compile and boot tested.
> 
> [Where problems could occur]
> 
> This fix affects those who use the user space interface to the kernel's crypto
> algorithms (CONFIG_CRYPTO_USER_API enabled). An issue with this fix would be
> visible to the user as race conditions or lockups when sending messages to the
> kernel's cryptography interface.
> 
> Eric Biggers (1):
>    crypto: af_alg - Fix incorrect boolean values in af_alg_ctx
> 
> Herbert Xu (1):
>    crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg
> 
>   crypto/af_alg.c         |  7 +++++++
>   include/crypto/if_alg.h | 10 ++++++----
>   2 files changed, 13 insertions(+), 4 deletions(-)
> 


Applied to plucky,noble,jammy:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251024/92891315/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251024/92891315/attachment-0001.sig>

More information about the kernel-team mailing list