patch 'crypto/openssl: fix SM2 public key buffer overflow' has been queued to stable release 25.11.1

Kevin Traynor ktraynor at redhat.com
Fri Mar 27 11:01:20 CET 2026

Previous message (by thread): patch 'eventdev/eth_rx: fix crash with telemetry' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/mlx5: fix NAT64 HW registers calculation' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 25.11.1

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/31/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable

This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/2c83244b4b65eff5e88b76bf4bc6d46b210bc466

Thanks.

Kevin

---
>From 2c83244b4b65eff5e88b76bf4bc6d46b210bc466 Mon Sep 17 00:00:00 2001
From: Kai Ji <kai.ji at intel.com>
Date: Wed, 25 Mar 2026 16:27:08 +0000
Subject: [PATCH] crypto/openssl: fix SM2 public key buffer overflow

[ upstream commit becf14f6f6d4d1ae834b797a0f9f83e0bea605c3 ]

The SM2 session setup path in openssl_set_asym_session_parameters()
copies the caller-supplied public key coordinates into a fixed 65-byte
stack buffer (1 byte uncompressed-point prefix + 32 bytes X + 32 bytes
Y) without first validating that the coordinate lengths fit.

Since xform->ec.q.x.length and xform->ec.q.y.length are generic size_t
values from the caller and are not bounds-checked before this point in
the driver, an oversized coordinate pair would overflow the pubkey[]
stack buffer before any OpenSSL API is reached.

Add a guard that rejects the xform when
1 + x.length + y.length > sizeof(pubkey), failing the session create
with the existing err_sm2 error path.

Fixes: badc0c6f6d6a ("cryptodev: set private and public keys in EC session")

Signed-off-by: Kai Ji <kai.ji at intel.com>
---
 drivers/crypto/openssl/rte_openssl_pmd_ops.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/crypto/openssl/rte_openssl_pmd_ops.c b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
index 5095e6cbea..4d3e503459 100644
--- a/drivers/crypto/openssl/rte_openssl_pmd_ops.c
+++ b/drivers/crypto/openssl/rte_openssl_pmd_ops.c
@@ -1542,4 +1542,10 @@ err_dsa:
 		}
 
+		if (xform->ec.q.x.length >= sizeof(pubkey) ||
+				xform->ec.q.y.length >=
+				sizeof(pubkey) - xform->ec.q.x.length) {
+			OPENSSL_LOG(ERR, "SM2 public key coordinates too large");
+			goto err_sm2;
+		}
 		memset(pubkey, 0, sizeof(pubkey));
 		pubkey[0] = 0x04;
-- 
2.53.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-03-27 09:58:26.745677608 +0000
+++ 0020-crypto-openssl-fix-SM2-public-key-buffer-overflow.patch	2026-03-27 09:58:26.148625508 +0000
@@ -1 +1 @@
-From becf14f6f6d4d1ae834b797a0f9f83e0bea605c3 Mon Sep 17 00:00:00 2001
+From 2c83244b4b65eff5e88b76bf4bc6d46b210bc466 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit becf14f6f6d4d1ae834b797a0f9f83e0bea605c3 ]
+
@@ -21 +22,0 @@
-Cc: stable at dpdk.org
@@ -29 +30 @@
-index 6133622f1b..4e5fb07bb2 100644
+index 5095e6cbea..4d3e503459 100644
@@ -32 +33 @@
-@@ -1774,4 +1774,10 @@ err_dsa:
+@@ -1542,4 +1542,10 @@ err_dsa:

Previous message (by thread): patch 'eventdev/eth_rx: fix crash with telemetry' has been queued to stable release 25.11.1
Next message (by thread): patch 'net/mlx5: fix NAT64 HW registers calculation' has been queued to stable release 25.11.1
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list