From 0d745aa92714f7c2199e9938afb3938e1c39083f Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 15 May 2026 04:06:05 +0000 Subject: [PATCH] Apply Fragnesia fixes --- ...-skbuff-propagate-shared-frag-marker.patch | 64 +++++++++++++++++++ SPECS/raspberrypi2.spec | 17 +++-- 2 files changed, 76 insertions(+), 5 deletions(-) create mode 100644 SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch diff --git a/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch b/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch new file mode 100644 index 0000000..03b8c53 --- /dev/null +++ b/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch @@ -0,0 +1,64 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy() + +Backport of upstream patch posted at +https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/ +(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6, +already merged into 6.12.0-124.56.1 via the c10s import). + +__pskb_copy_fclone() shallow-copies the source's frag descriptors and +bumps each page's refcount via skb_frag_ref(), then defers the rest +of the shinfo metadata to skb_copy_header(). That helper only carries +over gso_{size,segs,type} and never touches skb_shinfo()->flags, so +the destination skb keeps a reference to the same externally-owned or +page-cache-backed pages while reporting skb_has_shared_frag() as +false. + +The mismatch is harmful in any in-place writer that uses +skb_has_shared_frag() to decide whether shared pages must be detoured +through skb_cow_data(). ESP input is one such writer (esp4.c, +esp6.c), and a single nft 'dup to ' rule -- or any other +nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d +skb in esp_input() with the marker stripped, letting an unprivileged +user write into the page cache of a root-owned read-only file via +authencesn-ESN stray writes. + +Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors +were actually moved from the source. skb_copy() and skb_copy_expand() +share skb_copy_header() too but linearize all paged data into freshly +allocated head storage and emerge with nr_frags == 0, so +skb_has_shared_frag() returns false on its own; they need no change. + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.56.1.el10_1. + +Fixes: cef401de7be8 ("net: fix possible wrong checksum generation") +Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") +Reported-by: William Bowling +Reported-by: Hyunwoo Kim +Signed-off-by: Andrew Lukoshko +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom, + skb_frag_ref(skb, i); + } + skb_shinfo(n)->nr_frags = i; ++ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; + } + + if (skb_has_frag_list(skb)) { +@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + from_shinfo->frags, + from_shinfo->nr_frags * sizeof(skb_frag_t)); + to_shinfo->nr_frags += from_shinfo->nr_frags; ++ if (from_shinfo->nr_frags) ++ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG; + + if (!skb_cloned(from)) + from_shinfo->nr_frags = 0; +-- +2.43.0 diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 0b875d0..c68ce9a 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 5 +%define extra_version 6 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -52,11 +52,14 @@ Source2000: cpupower.service Source2001: cpupower.config Source2002: kvm_stat.logrotate # AlmaLinux patches -## CVE-2026-31431 +## CVE-2026-31431: Copy Fail Patch1100: 1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch -## Dirty Frag +## CVE-2026-43284: Dirty Frag Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +## CVE-2026-43500 Dirty Frag Patch1102: 1102-rxrpc-linearize-paged-frags.patch +## CVE-2026-46300: Fragnesia +Patch1103: 1103-net-skbuff-propagate-shared-frag-marker.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -239,6 +242,7 @@ glibc package. %patch -P 1100 -p1 %patch -P 1101 -p1 %patch -P 1102 -p1 +%patch -P 1103 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -543,9 +547,12 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Thu May 14 2026 Koichiro Iwao - 6.12.47-20250916.v8.6 +- net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300} + * Fri May 08 2026 Koichiro Iwao - 6.12.47-20250916.v8.5 -- rxrpc: linearize incoming DATA packet when it has paged frags -- xfrm: esp: avoid in-place decrypt on shared skb frags +- rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500} +- xfrm: esp: avoid in-place decrypt on shared skb frags {CVE-2026-43284} * Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.4 - Update CVE-2026-31431 patch to include more upstream commits