forked from rpms/raspberrypi2
parent
7e436cbe54
commit
b91ed68b31
64
SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch
Normal file
64
SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch
Normal file
@ -0,0 +1,64 @@
|
||||
From: Andrew Lukoshko <alukoshko@almalinux.org>
|
||||
Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy()
|
||||
|
||||
Backport of upstream patch posted at
|
||||
https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
|
||||
(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6,
|
||||
already merged into 6.12.0-124.56.1 via the c10s import).
|
||||
|
||||
__pskb_copy_fclone() shallow-copies the source's frag descriptors and
|
||||
bumps each page's refcount via skb_frag_ref(), then defers the rest
|
||||
of the shinfo metadata to skb_copy_header(). That helper only carries
|
||||
over gso_{size,segs,type} and never touches skb_shinfo()->flags, so
|
||||
the destination skb keeps a reference to the same externally-owned or
|
||||
page-cache-backed pages while reporting skb_has_shared_frag() as
|
||||
false.
|
||||
|
||||
The mismatch is harmful in any in-place writer that uses
|
||||
skb_has_shared_frag() to decide whether shared pages must be detoured
|
||||
through skb_cow_data(). ESP input is one such writer (esp4.c,
|
||||
esp6.c), and a single nft 'dup to <local>' rule -- or any other
|
||||
nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
|
||||
skb in esp_input() with the marker stripped, letting an unprivileged
|
||||
user write into the page cache of a root-owned read-only file via
|
||||
authencesn-ESN stray writes.
|
||||
|
||||
Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
|
||||
were actually moved from the source. skb_copy() and skb_copy_expand()
|
||||
share skb_copy_header() too but linearize all paged data into freshly
|
||||
allocated head storage and emerge with nr_frags == 0, so
|
||||
skb_has_shared_frag() returns false on its own; they need no change.
|
||||
|
||||
Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
|
||||
against kernel-6.12.0-124.56.1.el10_1.
|
||||
|
||||
Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
|
||||
Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
|
||||
Reported-by: William Bowling <vakzz@zellic.io>
|
||||
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
|
||||
Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
|
||||
---
|
||||
net/core/skbuff.c | 3 +++
|
||||
1 file changed, 3 insertions(+)
|
||||
|
||||
--- a/net/core/skbuff.c
|
||||
+++ b/net/core/skbuff.c
|
||||
@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
|
||||
skb_frag_ref(skb, i);
|
||||
}
|
||||
skb_shinfo(n)->nr_frags = i;
|
||||
+ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
|
||||
}
|
||||
|
||||
if (skb_has_frag_list(skb)) {
|
||||
@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
|
||||
from_shinfo->frags,
|
||||
from_shinfo->nr_frags * sizeof(skb_frag_t));
|
||||
to_shinfo->nr_frags += from_shinfo->nr_frags;
|
||||
+ if (from_shinfo->nr_frags)
|
||||
+ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
|
||||
|
||||
if (!skb_cloned(from))
|
||||
from_shinfo->nr_frags = 0;
|
||||
--
|
||||
2.43.0
|
||||
@ -11,7 +11,7 @@ ExclusiveArch: aarch64
|
||||
|
||||
%define local_version v8
|
||||
%define bcmmodel 2711
|
||||
%define extra_version 5
|
||||
%define extra_version 6
|
||||
|
||||
# This originally implies Kernel 4.x for RPi 2 and is not appropriate now.
|
||||
# Be careful to change this not to disturb the seamless package update.
|
||||
@ -52,11 +52,14 @@ Source2000: cpupower.service
|
||||
Source2001: cpupower.config
|
||||
Source2002: kvm_stat.logrotate
|
||||
# AlmaLinux patches
|
||||
## CVE-2026-31431
|
||||
## CVE-2026-31431: Copy Fail
|
||||
Patch1100: 1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
|
||||
## Dirty Frag
|
||||
## CVE-2026-43284: Dirty Frag
|
||||
Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
|
||||
## CVE-2026-43500 Dirty Frag
|
||||
Patch1102: 1102-rxrpc-linearize-paged-frags.patch
|
||||
## CVE-2026-46300: Fragnesia
|
||||
Patch1103: 1103-net-skbuff-propagate-shared-frag-marker.patch
|
||||
|
||||
BuildRequires: kmod, patch, bash, coreutils, tar
|
||||
BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk
|
||||
@ -239,6 +242,7 @@ glibc package.
|
||||
%patch -P 1100 -p1
|
||||
%patch -P 1101 -p1
|
||||
%patch -P 1102 -p1
|
||||
%patch -P 1103 -p1
|
||||
perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
|
||||
perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
|
||||
perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig
|
||||
@ -543,9 +547,12 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu May 14 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.6
|
||||
- net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300}
|
||||
|
||||
* Fri May 08 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.5
|
||||
- rxrpc: linearize incoming DATA packet when it has paged frags
|
||||
- xfrm: esp: avoid in-place decrypt on shared skb frags
|
||||
- rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500}
|
||||
- xfrm: esp: avoid in-place decrypt on shared skb frags {CVE-2026-43284}
|
||||
|
||||
* Thu Apr 30 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.4
|
||||
- Update CVE-2026-31431 patch to include more upstream commits
|
||||
|
||||
Loading…
Reference in New Issue
Block a user