CVE-2025-39917

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix out-of-bounds dynptr write in bpfcryptocrypt

Stanislav reported that in bpfcryptocrypt() the destination dynptr's size is not validated to be at least as large as the source dynptr's size before calling into the crypto backend with 'len = src_len'. This can result in an OOB write when the destination is smaller than the source.

Concretely, in mentioned function, psrc and pdst are both linear buffers fetched from each dynptr:

psrc = __bpfdynptrdata(src, src_len); [...] pdst = __bpfdynptrdatarw(dst, dstlen); [...] err = decrypt ? ctx->type->decrypt(ctx->tfm, psrc, pdst, srclen, piv) : ctx->type->encrypt(ctx->tfm, psrc, pdst, srclen, piv);

The crypto backend expects pdst to be large enough with a srclen length that can be written. Add an additional srclen > dst_len check and bail out if it's the case. Note that these kfuncs are accessible under root privileges only.