diff --git a/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch new file mode 100644 index 000000000..0fe6a5691 --- /dev/null +++ b/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch @@ -0,0 +1,77 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] xfrm: esp: avoid in-place decrypt on shared skb frags + +Direct cherry-pick of upstream commit f4c50a4034e6 for AlmaLinux 10 +(6.12 kernel). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.55.1.el10_1. + +ESP-in-UDP packets built from MSG_SPLICE_PAGES (pipe pages) look like +ordinary uncloned nonlinear skbs to ESP input, which takes the no-COW +fast path and decrypts in place over data that is not owned privately +by the skb. Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG +matching TCP, and make ESP input fall back to skb_cow_data() when the +flag is present. + +Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") +Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") +Fixes: 7da0dde68486 ("ip, udp: Support MSG_SPLICE_PAGES") +Fixes: 6d8192bd69bb ("ip6, udp6: Support MSG_SPLICE_PAGES") +(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) +Signed-off-by: Andrew Lukoshko +--- + net/ipv4/esp4.c | 3 ++- + net/ipv4/ip_output.c | 2 ++ + net/ipv6/esp6.c | 3 ++- + net/ipv6/ip6_output.c | 2 ++ + 4 files changed, 8 insertions(+), 2 deletions(-) + +--- a/net/ipv4/esp4.c ++++ b/net/ipv4/esp4.c +@@ -908,7 +908,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -1236,6 +1236,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +--- a/net/ipv6/esp6.c ++++ b/net/ipv6/esp6.c +@@ -950,7 +950,8 @@ + nfrags = 1; + + goto skip_cow; +- } else if (!skb_has_frag_list(skb)) { ++ } else if (!skb_has_frag_list(skb) && ++ !skb_has_shared_frag(skb)) { + nfrags = skb_shinfo(skb)->nr_frags; + nfrags++; + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1769,6 +1769,8 @@ + if (err < 0) + goto error; + copy = err; ++ if (!(flags & MSG_NO_SHARED_FRAGS)) ++ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; + wmem_alloc_delta += copy; + } else if (!zc) { + int i = skb_shinfo(skb)->nr_frags; +-- +2.43.0 diff --git a/1101-rxrpc-linearize-paged-frags.patch b/1101-rxrpc-linearize-paged-frags.patch new file mode 100644 index 000000000..71f881d12 --- /dev/null +++ b/1101-rxrpc-linearize-paged-frags.patch @@ -0,0 +1,69 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] rxrpc: linearize incoming DATA packet when it has paged frags + +AlmaLinux-specific backport of the intent of the upstream rxrpc fix +posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ for the +"Dirty Frag" class of bugs (sibling to upstream commit f4c50a4034e6 in +the ESP/xfrm subsystem). + +The upstream patch can not be cherry-picked against this 6.12 tree: +its target lines were introduced by upstream commit d0d5c0cd1e71 +("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not +present here. The age-equivalent code path on AlmaLinux 10 is the +centralized skb_unshare() in net/rxrpc/io_thread.c that is run for +every DATA packet with a non-zero securityIndex before in-place +decryption. + +skb_unshare() only handles cloned skbs. An skb that is non-cloned but +carries paged fragments (skb->data_len != 0) — e.g. pages attached via +udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying +rxrpc traffic — slips through and is decrypted in place over data the +skb does not own privately. With kernel-modules-partner installed +(rxrpc.ko enabled), this is exploitable. + +Replace the unconditional skb_unshare() with skb_copy() whenever the +skb is cloned OR carries paged fragments. skb_copy() always returns a +freshly allocated linear skb, so subsequent in-place decryption only +touches kernel-owned memory. The original skb is consumed explicitly +(skb_unshare did this internally via consume_skb()). + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no +rejects) against kernel-6.12.0-124.55.1.el10_1. + +Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()") +Signed-off-by: Andrew Lukoshko +--- + net/rxrpc/io_thread.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/net/rxrpc/io_thread.c ++++ b/net/rxrpc/io_thread.c +@@ -235,16 +235,18 @@ + * decryption. + */ + if (sp->hdr.securityIndex != 0) { +- skb = skb_unshare(skb, GFP_ATOMIC); +- if (!skb) { +- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); +- *_skb = NULL; +- return just_discard; +- } ++ if (skb_cloned(skb) || skb->data_len) { ++ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); ++ ++ if (!nskb) { ++ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); ++ return just_discard; ++ } + +- if (skb != *_skb) { + rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); +- *_skb = skb; ++ consume_skb(*_skb); ++ *_skb = nskb; ++ skb = nskb; + rxrpc_new_skb(skb, rxrpc_skb_new_unshared); + sp = rxrpc_skb(skb); + } +-- +2.43.0 diff --git a/1102-net-skbuff-propagate-shared-frag-marker.patch b/1102-net-skbuff-propagate-shared-frag-marker.patch new file mode 100644 index 000000000..03b8c5397 --- /dev/null +++ b/1102-net-skbuff-propagate-shared-frag-marker.patch @@ -0,0 +1,64 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy() + +Backport of upstream patch posted at +https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/ +(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6, +already merged into 6.12.0-124.56.1 via the c10s import). + +__pskb_copy_fclone() shallow-copies the source's frag descriptors and +bumps each page's refcount via skb_frag_ref(), then defers the rest +of the shinfo metadata to skb_copy_header(). That helper only carries +over gso_{size,segs,type} and never touches skb_shinfo()->flags, so +the destination skb keeps a reference to the same externally-owned or +page-cache-backed pages while reporting skb_has_shared_frag() as +false. + +The mismatch is harmful in any in-place writer that uses +skb_has_shared_frag() to decide whether shared pages must be detoured +through skb_cow_data(). ESP input is one such writer (esp4.c, +esp6.c), and a single nft 'dup to ' rule -- or any other +nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d +skb in esp_input() with the marker stripped, letting an unprivileged +user write into the page cache of a root-owned read-only file via +authencesn-ESN stray writes. + +Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors +were actually moved from the source. skb_copy() and skb_copy_expand() +share skb_copy_header() too but linearize all paged data into freshly +allocated head storage and emerge with nr_frags == 0, so +skb_has_shared_frag() returns false on its own; they need no change. + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.56.1.el10_1. + +Fixes: cef401de7be8 ("net: fix possible wrong checksum generation") +Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") +Reported-by: William Bowling +Reported-by: Hyunwoo Kim +Signed-off-by: Andrew Lukoshko +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom, + skb_frag_ref(skb, i); + } + skb_shinfo(n)->nr_frags = i; ++ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; + } + + if (skb_has_frag_list(skb)) { +@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + from_shinfo->frags, + from_shinfo->nr_frags * sizeof(skb_frag_t)); + to_shinfo->nr_frags += from_shinfo->nr_frags; ++ if (from_shinfo->nr_frags) ++ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG; + + if (!skb_cloned(from)) + from_shinfo->nr_frags = 0; +-- +2.43.0 diff --git a/kernel.spec b/kernel.spec index e012df96d..ef8305ab1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1143,6 +1143,9 @@ Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch Patch2008: 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch Patch2009: 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch Patch2010: 0001-Keep-fs-btrfs-files-in-modules-package.patch +Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +Patch1101: 1101-rxrpc-linearize-paged-frags.patch +Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch # END OF PATCH DEFINITIONS @@ -2038,6 +2041,9 @@ ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch ApplyPatch 0008-Bring-back-deprecated-pci-ids-to-megaraid_sas-driver.patch ApplyPatch 0009-Bring-back-deprecated-pci-ids-to-mpt3sas-driver.patch ApplyPatch 0001-Keep-fs-btrfs-files-in-modules-package.patch +ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +ApplyPatch 1101-rxrpc-linearize-paged-frags.patch +ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch %{log_msg "End of patch applications"} # END OF PATCH APPLICATIONS @@ -4552,6 +4558,11 @@ fi\ # # %changelog +* Wed May 13 2026 Andrew Lukoshko - 6.12.0-227 +- xfrm: esp: avoid in-place decrypt on shared skb frags (CVE-2026-43284) +- rxrpc: linearize incoming DATA packet when it has paged frags (CVE-2026-43500) +- net: skbuff: propagate shared-frag marker through pskb_copy() + * Wed May 13 2026 Eduard Abdullin - 6.12.0-227 - Debrand for AlmaLinux OS - Use AlmaLinux OS secure boot cert