From 6a2023aeef600a13fefb2ad67bafc3a1aab55485 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 19 May 2026 06:29:16 +0000 Subject: [PATCH] Reapply Dirty Frag + ptrace fixes dropped during 6.12.0-228 import The Debrand commit on top of the kernel-6.12.0-228.el10 import wiped out our four local patches. Restore them verbatim from the parent (bc942b9e7): 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch (CVE-2026-43284) 1101-rxrpc-linearize-paged-frags.patch (CVE-2026-43500) 1102-net-skbuff-propagate-shared-frag-marker.patch 1103-ptrace-require-cap-on-mm-less-task.patch Patch declarations, ApplyPatch entries and a changelog stanza added under the existing 6.12.0-228 version; release is not bumped. --- ...id-in-place-decrypt-shared-skb-frags.patch | 77 +++++++++++++ 1101-rxrpc-linearize-paged-frags.patch | 69 ++++++++++++ ...-skbuff-propagate-shared-frag-marker.patch | 105 ++++++++++++++++++ 1103-ptrace-require-cap-on-mm-less-task.patch | 55 +++++++++ kernel.spec | 14 +++ 5 files changed, 320 insertions(+) create mode 100644 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch create mode 100644 1101-rxrpc-linearize-paged-frags.patch create mode 100644 1102-net-skbuff-propagate-shared-frag-marker.patch create mode 100644 1103-ptrace-require-cap-on-mm-less-task.patch diff --git a/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch new file mode 100644 index 000000000..0fe6a5691 --- /dev/null +++ b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch @@ -0,0 +1,77 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags + +Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10 +(6.12 kernel). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.55.1.el10_1. + +ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like +ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW +fast path and decrypts in place over data that is not owned privately +by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG +matching TCP, and make ESP input fall back to skb_cow_data() when the +flag is present. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") +Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") +(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) +Signed-off-by: Andrew Lukoshko +--- + net/ipv4/esp4.c | 3 ++- + net/ipv4/ip_output.c | 2 ++ + net/ipv6/esp6.c | 3 ++- + net/ipv6/ip6_output.c | 2 ++ + 4 files changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -908,7 +908,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1236,6 +1236,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -950,7 +950,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1769,6 +1769,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +-- +2.43.0 diff --git a/1101-rxrpc-linearize-paged-frags.patch b/1101-rxrpc-linearize-paged-frags.patch new file mode 100644 index 000000000..71f881d12 --- /dev/null +++ b/1101-rxrpc-linearize-paged-frags.patch @@ -0,0 +1,69 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags + +AlmaLinux-specific backport of the intent of the upstream rxrpc fix +posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ for the +"Dirty Frag" class of bugs (sibling to upstream commit f4c50a4034e6 in +the ESP/xfrm subsystem). + +The upstream patch can not be cherry-picked against this 6.12 tree: +its target lines were introduced by upstream commit d0d5c0cd1e71 +("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not +present here. The age-equivalent code path on AlmaLinux 10 is the +centralized skb_unshare() in net/rxrpc/io_thread.c that is run for +every DATA packet with a non-zero securityIndex before in-place +decryption. + +skb_unshare() only handles cloned skbs. An skb that is non-cloned but +carries paged fragments (skb->data_len != 0) — e.g. pages attached via +udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying +rxrpc traffic — slips through and is decrypted in place over data the +skb does not own privately. With kernel-modules-partner installed +(rxrpc.ko enabled), this is exploitable. + +Replace the unconditional skb_unshare() with skb_copy() whenever the +skb is cloned OR carries paged fragments. skb_copy() always returns a +freshly allocated linear skb, so subsequent in-place decryption only +touches kernel-owned memory. The original skb is consumed explicitly +(skb_unshare did this internally via consume_skb()). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no +rejects) against kernel-6.12.0-124.55.1.el10_1. + +Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()") +Signed-off-by: Andrew Lukoshko +--- + net/rxrpc/io_thread.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/net/rxrpc/io_thread.c ++++ b/net/rxrpc/io_thread.c +@@ -235,16 +235,18 @@ + * decryption. + */ + if (sp->hdr.securityIndex != 0) { +- skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) { +- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); +- *_skb = NULL; +- return just_discard; +- } ++ if (skb_cloned(skb) || skb->data_len) { ++ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); ++ ++ if (!nskb) { ++ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); ++ return just_discard; ++ } + +- if (skb != *_skb) { + rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); +- *_skb = skb; ++ consume_skb(*_skb); ++ *_skb = nskb; ++ skb = nskb; + rxrpc_new_skb(skb, rxrpc_skb_new_unshared); + sp = rxrpc_skb(skb); + } +-- +2.43.0 diff --git a/1102-net-skbuff-propagate-shared-frag-marker.patch b/1102-net-skbuff-propagate-shared-frag-marker.patch new file mode 100644 index 000000000..6880430f9 --- /dev/null +++ b/1102-net-skbuff-propagate-shared-frag-marker.patch @@ -0,0 +1,105 @@ +From: Eduard Abdullin +Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through frag-transfer helpers + +Backport of upstream v3 patch posted at +https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/ +(sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place +decrypt on shared skb frags"). + +Three frag-transfer helpers (__pskb_copy_fclone(), skb_try_coalesce(), +and skb_shift()) and the GRO accumulator helpers (skb_gro_receive() +and skb_gro_receive_list()) fail to propagate the SKBFL_SHARED_FRAG +bit in skb_shinfo()->flags when moving frag descriptors from source +to destination. As a result, the destination skb keeps a reference +to the same externally-owned or page-cache-backed pages while +reporting skb_has_shared_frag() as false. + +The mismatch is harmful in any in-place writer that uses +skb_has_shared_frag() to decide whether shared pages must be detoured +through skb_cow_data(). ESP input is one such writer (esp4.c, +esp6.c). Combined with an nft 'dup to ' rule, an +nf_dup_ipv4() / xt_TEE caller, or ESP-over-UDP with UDP GRO, this +lets an unprivileged user write into the page cache of a root-owned +read-only file via authencesn-ESN stray writes (CVE-2026-46300, +"Fragnesia"). + +Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors +were actually moved from the source. skb_copy() and skb_copy_expand() +share skb_copy_header() too but linearize all paged data into freshly +allocated head storage and emerge with nr_frags == 0, so +skb_has_shared_frag() returns false on its own; they need no change. + +The same omission exists in skb_gro_receive() and +skb_gro_receive_list(). The former moves the incoming skb's frag +descriptors into the accumulator's last sub-skb via two paths plus a +"merge:" fallback that chains the whole skb onto frag_list; the +latter chains the incoming skb whole onto p's frag_list. Downstream +skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() +reuses each sub-skb's shinfo as the nskb -- both p and lp must carry +the marker. + +Fixes: cef401de7be8 ("net: fix possible wrong checksum generation") +Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") +Reported-by: Sultan Alsawaf +Reported-by: William Bowling +Reported-by: Hyunwoo Kim +Signed-off-by: Eduard Abdullin +--- + net/core/gro.c | 4 ++++ + net/core/skbuff.c | 5 +++++ + 2 files changed, 9 insertions(+) + +--- a/net/core/gro.c ++++ b/net/core/gro.c +@@ -213,10 +213,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) + p->data_len += len; + p->truesize += delta_truesize; + p->len += len; ++ skb_shinfo(p)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG; + if (lp != p) { + lp->data_len += len; + lp->truesize += delta_truesize; + lp->len += len; ++ skb_shinfo(lp)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG; + } + NAPI_GRO_CB(skb)->same_flow = 1; + return 0; +@@ -244,6 +246,8 @@ int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb) + p->truesize += skb->truesize; + p->len += skb->len; + ++ skb_shinfo(p)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; ++ + NAPI_GRO_CB(skb)->same_flow = 1; + + return 0; +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom, + skb_frag_ref(skb, i); + } + skb_shinfo(n)->nr_frags = i; ++ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; + } + + if (skb_has_frag_list(skb)) { +@@ -4198,6 +4199,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen) + tgt->ip_summed = CHECKSUM_PARTIAL; + skb->ip_summed = CHECKSUM_PARTIAL; + ++ skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; ++ + skb_len_add(skb, -shiftlen); + skb_len_add(tgt, shiftlen); + +@@ -6028,6 +6031,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + from_shinfo->frags, + from_shinfo->nr_frags * sizeof(skb_frag_t)); + to_shinfo->nr_frags += from_shinfo->nr_frags; ++ if (from_shinfo->nr_frags) ++ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG; + + if (!skb_cloned(from)) + from_shinfo->nr_frags = 0; +-- +2.43.0 diff --git a/1103-ptrace-require-cap-on-mm-less-task.patch b/1103-ptrace-require-cap-on-mm-less-task.patch new file mode 100644 index 000000000..0c23998c0 --- /dev/null +++ b/1103-ptrace-require-cap-on-mm-less-task.patch @@ -0,0 +1,55 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10s] ptrace: require CAP_SYS_PTRACE when task has no mm + +kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd +("ptrace: slightly saner 'get_dumpable()' logic") posted at +https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a + +The upstream fix adds a 'user_dumpable:1' bit to task_struct and +caches the last dumpability in exit_mm() so __ptrace_may_access() +can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel +threads or already-exited user tasks). That layout change to +task_struct breaks kABI on AlmaLinux 10s (the symtype +signature of struct task_struct is referenced by hundreds of +stablelist exports), so we cannot import the field/exit_mm hunks +as-is. + +Take the minimal kABI-safe slice instead: when task->mm == NULL, +require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes +the Qualys Security Advisory hole -- mm-less targets no longer pass +the dumpability check by default -- without touching task_struct or +exit.c. The only behavioural delta versus upstream is that a user +task that has already cleared its mm in exit_mm() (a dying/zombie +task) now also requires CAP_SYS_PTRACE to attach, instead of being +remembered as previously dumpable. Such targets are rarely ptraced +in practice. + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-227.el10. + +Reported-by: Qualys Security Advisory +Signed-off-by: Andrew Lukoshko +--- + kernel/ptrace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + smp_rmb(); + mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (mm) { ++ if ((get_dumpable(mm) != SUID_DUMP_USER) && ++ !ptrace_has_cap(mm->user_ns, mode)) ++ return -EPERM; ++ } else if (!ptrace_has_cap(&init_user_ns, mode)) { ++ return -EPERM; ++ } + + return security_ptrace_access_check(task, mode); +-- +2.43.0 diff --git a/kernel.spec b/kernel.spec index dbaaf2a87..e6c6fa88d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1143,6 +1143,10 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch Patch2010: 0001-Keep-fs-btrfs-files-in-modules-package.patch +Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +Patch1101: 1101-rxrpc-linearize-paged-frags.patch +Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch +Patch1103: 1103-ptrace-require-cap-on-mm-less-task.patch # END OF PATCH DEFINITIONS @@ -2038,6 +2042,10 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch ApplyPatch 0001-Keep-fs-btrfs-files-in-modules-package.patch +ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +ApplyPatch 1101-rxrpc-linearize-paged-frags.patch +ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch +ApplyPatch 1103-ptrace-require-cap-on-mm-less-task.patch %{log_msg "End of patch applications"} # END OF PATCH APPLICATIONS @@ -4552,6 +4560,12 @@ fi\ # # %changelog +* Tue May 19 2026 Andrew Lukoshko - 6.12.0-228 +- xfrm: esp: avoid in-place decrypt on shared skb frags (CVE-2026-43284) +- rxrpc: linearize incoming DATA packet when it has paged frags (CVE-2026-43500) +- net: skbuff: propagate shared-frag marker through frag-transfer helpers +- ptrace: require CAP_SYS_PTRACE on mm-less tasks (kABI-safe Qualys fix) + * Sat May 16 2026 Eduard Abdullin - 6.12.0-228 - Debrand for AlmaLinux OS - Use AlmaLinux OS secure boot cert