Cryptographic padding handling / potential information leakage in WireGuard encryption
Description
The commit fixes a cryptographic padding handling issue in WireGuard's packet encryption path. Previously, the code could zero-padding and include the trailer (padding) in the skb in a way that could be bypassed if skb data allocation (reallocation) occurred before or during header expansion. This could result in padding not being properly zeroed or not being included in the encrypted trailer when reallocation happened, potentially leaking uninitialized data or compromising padding integrity. The fix changes the order of operations to append the trailer after expanding the head and to initialize padding at the end of the process, ensuring the padding zeros are preserved in all code paths and improving data integrity in the cryptographic padding process.
Commit Details
Author: Jason A. Donenfeld
Date: 2026-05-29 17:31 UTC
Message:
wireguard: send: append trailer after expanding head
With how this is currently written, we add the trailer, zero it out, and
then add the header space on. If that header space requires a
reallocation + copy, the zeros in the trailer aren't copied, because the
skb len hasn't actually been yet expanded to cover that. Instead add the
padding at the end of the process rather than at the beginning.
Fixes: e7096c131e51 ("net: WireGuard secure network tunnel")
Cc: stable@vger.kernel.org
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Link: https://patch.msgid.link/20260529173134.3080773-2-Jason@zx2c4.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Triage Assessment
Vulnerability Type: Cryptographic weakness
Confidence: MEDIUM
Reasoning:
The patch changes the timing/order of memory allocation and zero-padding during encryption, ensuring padding zeros are included in the skb even if a reallocation occurs. This addresses a potential data integrity/padding handling bug in the cryptographic path, which could otherwise lead to incorrect padding or leakage of uninitialized data during encryption.
Verification Assessment
Vulnerability Type: Cryptographic padding handling / potential information leakage in WireGuard encryption
Confidence: MEDIUM
Affected Versions: 7.0-rc6 and earlier (WireGuard send path in drivers/net/wireguard/send.c); fixed in this commit
Code Diff
diff --git a/drivers/net/wireguard/send.c b/drivers/net/wireguard/send.c
index 26e09c30d596ca..67d01478eb76dd 100644
--- a/drivers/net/wireguard/send.c
+++ b/drivers/net/wireguard/send.c
@@ -177,16 +177,6 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
trailer_len = padding_len + noise_encrypted_len(0);
plaintext_len = skb->len + padding_len;
- /* Expand data section to have room for padding and auth tag. */
- num_frags = skb_cow_data(skb, trailer_len, &trailer);
- if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
- return false;
-
- /* Set the padding to zeros, and make sure it and the auth tag are part
- * of the skb.
- */
- memset(skb_tail_pointer(trailer), 0, padding_len);
-
/* Expand head section to have room for our header and the network
* stack's headers.
*/
@@ -198,6 +188,16 @@ static bool encrypt_packet(struct sk_buff *skb, struct noise_keypair *keypair)
skb_checksum_help(skb)))
return false;
+ /* Expand data section to have room for padding and auth tag. */
+ num_frags = skb_cow_data(skb, trailer_len, &trailer);
+ if (unlikely(num_frags < 0 || num_frags > ARRAY_SIZE(sg)))
+ return false;
+
+ /* Set the padding to zeros, and make sure it and the auth tag are part
+ * of the skb.
+ */
+ memset(skb_tail_pointer(trailer), 0, padding_len);
+
/* Only after checksumming can we safely add on the padding at the end
* and the header.
*/