From e98a03b80e8db81337f12ada5a30170acd38d0eb Mon Sep 17 00:00:00 2001 From: Daniel Pouzzner Date: Wed, 10 Jun 2026 14:11:50 -0500 Subject: [PATCH] fix F=3524: Heap Buffer Overflow in km_direct_rsa_dec When req->dst_len < ctx->key_len --- linuxkm/lkcapi_rsa_glue.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/linuxkm/lkcapi_rsa_glue.c b/linuxkm/lkcapi_rsa_glue.c index c0cac0df5d..4fb126605d 100644 --- a/linuxkm/lkcapi_rsa_glue.c +++ b/linuxkm/lkcapi_rsa_glue.c @@ -792,8 +792,12 @@ static int km_direct_rsa_dec(struct akcipher_request *req) goto rsa_dec_out; } - if (req->dst_len <= 0 || req->dst_len > (unsigned int) ctx->key_len) { - err = -EINVAL; + if (req->dst_len != (unsigned int)ctx->key_len) { + if ((req->dst_len > 0) && (req->dst_len < (unsigned int)ctx->key_len)) + err = -EOVERFLOW; + else + err = -EINVAL; + req->dst_len = ctx->key_len; goto rsa_dec_out; }