)]}'
{
  "commit": "5db6ef9847717329f12c5ea8aba7e9f588a980c0",
  "tree": "b9fb6d2a3b9525a9bcfc17d61a7558f0e571084e",
  "parents": [
    "3bfbf5f0a99c991769ec562721285df7ab69240b"
  ],
  "author": {
    "name": "Yucheng Lu",
    "email": "kanolyc@gmail.com",
    "time": "Wed Apr 22 21:45:04 2026 +0800"
  },
  "committer": {
    "name": "Herbert Xu",
    "email": "herbert@gondor.apana.org.au",
    "time": "Thu Apr 23 13:44:06 2026 +0800"
  },
  "message": "crypto: authencesn - reject short ahash digests during instance creation\n\nauthencesn requires either a zero authsize or an authsize of at least\n4 bytes because the ESN encrypt/decrypt paths always move 4 bytes of\nhigh-order sequence number data at the end of the authenticated data.\n\nWhile crypto_authenc_esn_setauthsize() already rejects explicit\nnon-zero authsizes in the range 1..3, crypto_authenc_esn_create()\nstill copied auth-\u003edigestsize into inst-\u003ealg.maxauthsize without\nvalidating it.  The AEAD core then initialized the tfm\u0027s default\nauthsize from that value.\n\nAs a result, selecting an ahash with digest size 1..3, such as\ncbcmac(cipher_null), exposed authencesn instances whose default\nauthsize was invalid even though setauthsize() would have rejected the\nsame value.  AF_ALG could then trigger the ESN tail handling with a\ntoo-short tag and hit an out-of-bounds access.\n\nReject authencesn instances whose ahash digest size is in the invalid\nnon-zero range 1..3 so that no tfm can inherit an unsupported default\nauthsize.\n\nFixes: f15f05b0a5de (\"crypto: ccm - switch to separate cbcmac driver\")\nCc: stable@kernel.org\nReported-by: Yifan Wu \u003cyifanwucs@gmail.com\u003e\nReported-by: Juefei Pu \u003ctomapufckgml@gmail.com\u003e\nCo-developed-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nSigned-off-by: Yuan Tan \u003cyuantan098@gmail.com\u003e\nSuggested-by: Xin Liu \u003cbird@lzu.edu.cn\u003e\nTested-by: Yuhang Zheng \u003cz1652074432@gmail.com\u003e\nReviewed-by: Eric Biggers \u003cebiggers@kernel.org\u003e\nSigned-off-by: Yucheng Lu \u003ckanolyc@gmail.com\u003e\nSigned-off-by: Ren Wei \u003cn05ec@lzu.edu.cn\u003e\nSigned-off-by: Herbert Xu \u003cherbert@gondor.apana.org.au\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "af3d584e584fbc9383afa35dd9d748953f3b99ac",
      "old_mode": 33188,
      "old_path": "crypto/authencesn.c",
      "new_id": "522df41365d8f97e27e3be219b747a3d84a541bb",
      "new_mode": 33188,
      "new_path": "crypto/authencesn.c"
    }
  ]
}