diff --git a/.gitignore b/.gitignore index 3d118e762..841e47ce5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ -SOURCES/kernel-abi-stablelists-5.14.0-611.54.1.el9_7.tar.bz2 -SOURCES/kernel-kabi-dw-5.14.0-611.54.1.el9_7.tar.bz2 -SOURCES/linux-5.14.0-611.54.1.el9_7.tar.xz +SOURCES/kernel-abi-stablelists-5.14.0-611.55.1.el9_7.tar.bz2 +SOURCES/kernel-kabi-dw-5.14.0-611.55.1.el9_7.tar.bz2 +SOURCES/linux-5.14.0-611.55.1.el9_7.tar.xz SOURCES/nvidiagpuoot001.x509 SOURCES/olima1.x509 SOURCES/olimaca1.x509 diff --git a/.kernel.metadata b/.kernel.metadata index e52887490..8eaa761e2 100644 --- a/.kernel.metadata +++ b/.kernel.metadata @@ -1,6 +1,6 @@ -55bcc86c5e6b577c0cc216b3bd58f99af6ffac61 SOURCES/kernel-abi-stablelists-5.14.0-611.54.1.el9_7.tar.bz2 -72fc5587656a1267bebfb66f846c7e1b89c3431f SOURCES/kernel-kabi-dw-5.14.0-611.54.1.el9_7.tar.bz2 -67307c8b124afd46c91fd6f6465ac4b670d99d8d SOURCES/linux-5.14.0-611.54.1.el9_7.tar.xz +930ba685db585740e3419b2949051decb91de9f9 SOURCES/kernel-abi-stablelists-5.14.0-611.55.1.el9_7.tar.bz2 +f78145d89439e77dfa4a2209074e34f05345fb25 SOURCES/kernel-kabi-dw-5.14.0-611.55.1.el9_7.tar.bz2 +d008343a381ee2c66f3a1a22f82c7ef58227cdb5 SOURCES/linux-5.14.0-611.55.1.el9_7.tar.xz 4fff8080e88afffc06d8ef5004db8d53bb21237f SOURCES/nvidiagpuoot001.x509 706ae01dd14efa38f0f565a3706acac19c78df02 SOURCES/olima1.x509 6e3f0d61414c0b50f48dc2d4c3b3cd024e1c3a43 SOURCES/olimaca1.x509 diff --git a/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch b/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch deleted file mode 100644 index 0e0572306..000000000 --- a/SOURCES/1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +++ /dev/null @@ -1,75 +0,0 @@ -From: Andrew Lukoshko -Subject: [PATCH AlmaLinux 9] xfrm: esp: avoid in-place decrypt on shared skb frags - -Backport of upstream commit f4c50a4034e6 ("xfrm: esp: avoid in-place -decrypt on shared skb frags") for AlmaLinux 9 (5.14 kernel). - -Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) -against kernel-5.14.0-611.54.1.el9_7. - -ESP-in-UDP packets built from caller-owned pages (e.g. pipe pages -attached via udp_sendpage(2) -> ip_append_page() -> skb_append_pagefrags()) -look like ordinary uncloned nonlinear skbs. ESP input then takes the -no-COW fast path and decrypts in place over data that is not owned -privately by the skb. - -Tree adaptation: - * Upstream patches __ip_append_data() / __ip6_append_data(), the - MSG_SPLICE_PAGES branch added by 7da0dde68486 / 6d8192bd69bb. - That feature has not been wired into UDP send paths on this tree - (no caller of skb_splice_from_iter in net/ipv{4,6}/). - * The age-equivalent producer is ip_append_page() (udp_sendpage). - Mark frags there with SKBFL_SHARED_FRAG so skb_has_shared_frag() - fires for these skbs. - * UDPv6 has no .sendpage op in this tree, so the esp6 hunk is - defense-in-depth in case a later backport adds one. - * The esp4/esp6 receiver-side hunks are taken verbatim from - upstream. - -Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible") -Fixes: 03e2a30f6a27 ("esp6: Avoid skb_cow_data whenever possible") -(cherry picked from commit f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4) -Signed-off-by: Andrew Lukoshko ---- - net/ipv4/esp4.c | 3 ++- - net/ipv4/ip_output.c | 2 ++ - net/ipv6/esp6.c | 3 ++- - 3 files changed, 6 insertions(+), 2 deletions(-) - ---- a/net/ipv4/esp4.c -+++ b/net/ipv4/esp4.c -@@ -920,7 +920,8 @@ - nfrags = 1; - - goto skip_cow; -- } else if (!skb_has_frag_list(skb)) { -+ } else if (!skb_has_frag_list(skb) && -+ !skb_has_shared_frag(skb)) { - nfrags = skb_shinfo(skb)->nr_frags; - nfrags++; - ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -1467,6 +1467,8 @@ - err = -EMSGSIZE; - goto error; - } -+ if (!(flags & MSG_NO_SHARED_FRAGS)) -+ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG; - - if (skb->ip_summed == CHECKSUM_NONE) { - __wsum csum; ---- a/net/ipv6/esp6.c -+++ b/net/ipv6/esp6.c -@@ -960,7 +960,8 @@ - nfrags = 1; - - goto skip_cow; -- } else if (!skb_has_frag_list(skb)) { -+ } else if (!skb_has_frag_list(skb) && -+ !skb_has_shared_frag(skb)) { - nfrags = skb_shinfo(skb)->nr_frags; - nfrags++; - --- -2.43.0 diff --git a/SOURCES/1101-rxrpc-linearize-paged-frags.patch b/SOURCES/1101-rxrpc-linearize-paged-frags.patch deleted file mode 100644 index 49761a31a..000000000 --- a/SOURCES/1101-rxrpc-linearize-paged-frags.patch +++ /dev/null @@ -1,68 +0,0 @@ -From: Andrew Lukoshko -Subject: [PATCH AlmaLinux 9] rxrpc: linearize incoming DATA packet when it has paged frags - -AlmaLinux-specific backport of the intent of the upstream rxrpc fix -posted at https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/ -(sibling to upstream commit f4c50a4034e6 in the ESP/xfrm subsystem). - -The upstream patch can not be cherry-picked against this 5.14 tree: -its target lines were introduced by upstream commit d0d5c0cd1e71 -("rxrpc: Use skb_unshare() rather than skb_cow_data()") which is not -present here. The age-equivalent code path on AlmaLinux 9 is the -centralized skb_unshare() in net/rxrpc/io_thread.c that is run for -every DATA packet with a non-zero securityIndex before in-place -decryption. - -skb_unshare() only handles cloned skbs. An skb that is non-cloned but -carries paged fragments (skb->data_len != 0) — e.g. pages attached via -udp_sendpage() / splice() / MSG_SPLICE_PAGES on a UDP socket carrying -rxrpc traffic — slips through and is decrypted in place over data the -skb does not own privately. With kernel-modules-partner installed -(rxrpc.ko enabled), this is exploitable. - -Replace the unconditional skb_unshare() with skb_copy() whenever the -skb is cloned OR carries paged fragments. skb_copy() always returns a -freshly allocated linear skb, so subsequent in-place decryption only -touches kernel-owned memory. The original skb is consumed explicitly -(skb_unshare did this internally via consume_skb()). - -Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no -rejects) against kernel-5.14.0-611.54.1.el9_7. - -Fixes: cac2661c53f3 ("rxrpc: Use skb_cow_data() in rxrpc_recvmsg_data()") -Signed-off-by: Andrew Lukoshko ---- - net/rxrpc/io_thread.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - ---- a/net/rxrpc/io_thread.c -+++ b/net/rxrpc/io_thread.c -@@ -225,16 +225,18 @@ - * decryption. - */ - if (sp->hdr.securityIndex != 0) { -- skb = skb_unshare(skb, GFP_ATOMIC); -- if (!skb) { -- rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); -- *_skb = NULL; -- return just_discard; -- } -+ if (skb_cloned(skb) || skb->data_len) { -+ struct sk_buff *nskb = skb_copy(skb, GFP_ATOMIC); -+ -+ if (!nskb) { -+ rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare_nomem); -+ return just_discard; -+ } - -- if (skb != *_skb) { - rxrpc_eaten_skb(*_skb, rxrpc_skb_eaten_by_unshare); -- *_skb = skb; -+ consume_skb(*_skb); -+ *_skb = nskb; -+ skb = nskb; - rxrpc_new_skb(skb, rxrpc_skb_new_unshared); - sp = rxrpc_skb(skb); - } --- -2.43.0 diff --git a/SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch b/SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch deleted file mode 100644 index 849b2be32..000000000 --- a/SOURCES/1102-net-skbuff-propagate-shared-frag-marker.patch +++ /dev/null @@ -1,122 +0,0 @@ -From: Eduard Abdullin -Subject: [PATCH AlmaLinux 9] net: skbuff: propagate shared-frag marker through frag-transfer helpers - -Backport of upstream v3 patch posted at -https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/ -(sibling to upstream commit f4c50a4034e6 "xfrm: esp: avoid in-place -decrypt on shared skb frags"). - -Three frag-transfer helpers in net/core/skbuff.c -(__pskb_copy_fclone(), skb_try_coalesce(), skb_shift()) and the -GRO accumulator path in net/core/gro.c (skb_gro_receive()) and the -UDP GRO list helper in net/ipv4/udp_offload.c -(skb_gro_receive_list(), kept as a static helper on AlmaLinux 9) -fail to propagate the SKBFL_SHARED_FRAG bit in skb_shinfo()->flags -when moving frag descriptors from source to destination. As a -result, the destination skb keeps a reference to the same -externally-owned or page-cache-backed pages while reporting -skb_has_shared_frag() as false. - -The mismatch is harmful in any in-place writer that uses -skb_has_shared_frag() to decide whether shared pages must be detoured -through skb_cow_data(). ESP input is one such writer (esp4.c, -esp6.c). Combined with an nft 'dup to ' rule, an -nf_dup_ipv4() / xt_TEE caller, or ESP-over-UDP with UDP GRO, this -lets an unprivileged user write into the page cache of a root-owned -read-only file via authencesn-ESN stray writes (CVE-2026-46300, -"Fragnesia"). - -Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors -were actually moved from the source. skb_copy() and skb_copy_expand() -share skb_copy_header() too but linearize all paged data into freshly -allocated head storage and emerge with nr_frags == 0, so -skb_has_shared_frag() returns false on its own; they need no change. - -The same omission exists in skb_gro_receive() and -skb_gro_receive_list(). The former moves the incoming skb's frag -descriptors into the accumulator's last sub-skb via two paths plus a -"merge:" fallback that chains the whole skb onto frag_list; the -latter chains the incoming skb whole onto p's frag_list. Downstream -skb_segment() reads only skb_shinfo(p)->flags, and skb_segment_list() -reuses each sub-skb's shinfo as the nskb -- both p and lp must carry -the marker. - -Tree adaptation: - * Upstream v3 places skb_gro_receive_list() in net/core/gro.c. - AlmaLinux 9 still keeps it as a static helper in - net/ipv4/udp_offload.c (it has not been promoted to a global - GRO helper in this tree). Apply the propagation hunk there - instead. - * Upstream skb_shift() uses skb_len_add() helpers (introduced in - v5.16); AlmaLinux 9 still has the open-coded - `skb->len -= shiftlen; ...` block. The insertion point (right - after both ip_summed assignments) is the same. - -Fixes: cef401de7be8 ("net: fix possible wrong checksum generation") -Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") -Reported-by: Sultan Alsawaf -Reported-by: William Bowling -Reported-by: Hyunwoo Kim -Signed-off-by: Eduard Abdullin ---- - net/core/gro.c | 2 ++ - net/core/skbuff.c | 6 ++++++ - net/ipv4/udp_offload.c | 2 ++ - 3 files changed, 10 insertions(+) - ---- a/net/core/gro.c -+++ b/net/core/gro.c -@@ -222,10 +222,12 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb) - p->data_len += len; - p->truesize += delta_truesize; - p->len += len; -+ skb_shinfo(p)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG; - if (lp != p) { - lp->data_len += len; - lp->truesize += delta_truesize; - lp->len += len; -+ skb_shinfo(lp)->flags |= skbinfo->flags & SKBFL_SHARED_FRAG; - } - NAPI_GRO_CB(skb)->same_flow = 1; - return 0; ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -2026,6 +2026,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom, - skb_frag_ref(skb, i); - } - skb_shinfo(n)->nr_frags = i; -+ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; - } - - if (skb_has_frag_list(skb)) { -@@ -4029,6 +4030,8 @@ int skb_shift(struct sk_buff *tgt, struct sk_buff *skb, int shiftlen) - tgt->ip_summed = CHECKSUM_PARTIAL; - skb->ip_summed = CHECKSUM_PARTIAL; - -+ skb_shinfo(tgt)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; -+ - /* Yak, is it really working this way? Some helper please? */ - skb->len -= shiftlen; - skb->data_len -= shiftlen; -@@ -5740,6 +5743,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, - from_shinfo->frags, - from_shinfo->nr_frags * sizeof(skb_frag_t)); - to_shinfo->nr_frags += from_shinfo->nr_frags; -+ if (from_shinfo->nr_frags) -+ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG; - - if (!skb_cloned(from)) - from_shinfo->nr_frags = 0; ---- a/net/ipv4/udp_offload.c -+++ b/net/ipv4/udp_offload.c -@@ -487,6 +487,8 @@ static int skb_gro_receive_list(struct sk_buff *p, struct sk_buff *skb) - p->truesize += skb->truesize; - p->len += skb->len; - -+ skb_shinfo(p)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; -+ - NAPI_GRO_CB(skb)->same_flow = 1; - - return 0; --- -2.43.0 diff --git a/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch b/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch deleted file mode 100644 index 08b94e525..000000000 --- a/SOURCES/1103-ptrace-require-cap-on-mm-less-task.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Andrew Lukoshko -Subject: [PATCH AlmaLinux 9] ptrace: require CAP_SYS_PTRACE when task has no mm - -kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd -("ptrace: slightly saner 'get_dumpable()' logic") posted at -https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a - -The upstream fix adds a 'user_dumpable:1' bit to task_struct and -caches the last dumpability in exit_mm() so __ptrace_may_access() -can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel -threads or already-exited user tasks). That layout change to -task_struct breaks kABI on RHEL/AlmaLinux 9 (the symtype -signature of struct task_struct is referenced by stablelist exports -such as set_cpus_allowed_ptr() and wake_up_process()), so we cannot -import the field/exit_mm hunks as-is. - -Take the minimal kABI-safe slice instead: when task->mm == NULL, -require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes -the Qualys Security Advisory hole -- mm-less targets no longer pass -the dumpability check by default -- without touching task_struct or -exit.c. The only behavioural delta versus upstream is that a user -task that has already cleared its mm in exit_mm() (a dying/zombie -task) now also requires CAP_SYS_PTRACE to attach, instead of being -remembered as previously dumpable. Such targets are rarely ptraced -in practice. - -Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) -against kernel-5.14.0-611.54.1.el9_7. - -Reported-by: Qualys Security Advisory -Signed-off-by: Andrew Lukoshko ---- - kernel/ptrace.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -@@ -349,8 +349,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) - smp_rmb(); - mm = task->mm; -- if (mm && -- ((get_dumpable(mm) != SUID_DUMP_USER) && -- !ptrace_has_cap(mm->user_ns, mode))) -- return -EPERM; -+ if (mm) { -+ if ((get_dumpable(mm) != SUID_DUMP_USER) && -+ !ptrace_has_cap(mm->user_ns, mode)) -+ return -EPERM; -+ } else if (!ptrace_has_cap(&init_user_ns, mode)) { -+ return -EPERM; -+ } - - return security_ptrace_access_check(task, mode); --- -2.43.0 diff --git a/SOURCES/Makefile.rhelver b/SOURCES/Makefile.rhelver index 89455b77b..f4c77bf9a 100644 --- a/SOURCES/Makefile.rhelver +++ b/SOURCES/Makefile.rhelver @@ -12,7 +12,7 @@ RHEL_MINOR = 7 # # Use this spot to avoid future merge conflicts. # Do not trim this comment. -RHEL_RELEASE = 611.54.1 +RHEL_RELEASE = 611.55.1 # # ZSTREAM diff --git a/SOURCES/kernel.changelog b/SOURCES/kernel.changelog index f18338fd2..c96cb5774 100644 --- a/SOURCES/kernel.changelog +++ b/SOURCES/kernel.changelog @@ -1,3 +1,7 @@ +* Sat May 09 2026 CKI KWF Bot [5.14.0-611.55.1.el9_7] +- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174561] {CVE-2026-43284} +Resolves: RHEL-174561 + * Sat May 02 2026 CKI KWF Bot [5.14.0-611.54.1.el9_7] - crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172201] - crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172201] diff --git a/SPECS/kernel.spec b/SPECS/kernel.spec index 8c50bf48b..c26efa151 100644 --- a/SPECS/kernel.spec +++ b/SPECS/kernel.spec @@ -165,15 +165,15 @@ Summary: The Linux kernel # define buildid .local %define specversion 5.14.0 %define patchversion 5.14 -%define pkgrelease 611.54.6 +%define pkgrelease 611.55.1 %define kversion 5 -%define tarfile_release 5.14.0-611.54.1.el9_7 +%define tarfile_release 5.14.0-611.55.1.el9_7 # This is needed to do merge window version magic %define patchlevel 14 # This allows pkg_release to have configurable %%{?dist} tag -%define specrelease 611.54.6%{?buildid}%{?dist} +%define specrelease 611.55.1%{?buildid}%{?dist} # This defines the kabi tarball version -%define kabiversion 5.14.0-611.54.1.el9_7 +%define kabiversion 5.14.0-611.55.1.el9_7 # # End of genspec.sh variables @@ -956,10 +956,6 @@ Patch2004: 0004-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch Patch2005: 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch Patch2006: 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch Patch2007: 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch -Patch1100: 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch -Patch1101: 1101-rxrpc-linearize-paged-frags.patch -Patch1102: 1102-net-skbuff-propagate-shared-frag-marker.patch -Patch1103: 1103-ptrace-require-cap-on-mm-less-task.patch Patch11111: ppc64le-kvm-support.patch @@ -1704,10 +1700,6 @@ ApplyPatch 0004-Bring-back-deprecated-pci-ids-to-qla2xxx-driver.patch ApplyPatch 0005-Bring-back-deprecated-pci-ids-to-lpfc-driver.patch ApplyPatch 0006-Bring-back-deprecated-pci-ids-to-qla4xxx-driver.patch ApplyPatch 0007-Bring-back-deprecated-pci-ids-to-be2iscsi-driver.patch -ApplyPatch 1100-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch -ApplyPatch 1101-rxrpc-linearize-paged-frags.patch -ApplyPatch 1102-net-skbuff-propagate-shared-frag-marker.patch -ApplyPatch 1103-ptrace-require-cap-on-mm-less-task.patch # END OF PATCH APPLICATIONS @@ -3779,22 +3771,7 @@ fi # # %changelog -* Fri May 15 2026 Andrew Lukoshko - 5.14.0-611.54.6 -- ptrace: require CAP_SYS_PTRACE when task has no mm (kABI-safe) - -* Thu May 14 2026 Eduard Abdullin - 5.14.0-611.54.5 -- net: skbuff: propagate shared-frag marker through frag-transfer helpers - -* Wed May 13 2026 Andrew Lukoshko - 5.14.0-611.54.4 -- net: skbuff: propagate shared-frag marker through pskb_copy() - -* Thu May 07 2026 Andrew Lukoshko - 5.14.0-611.54.3 -- rxrpc: linearize incoming DATA packet when it has paged frags - -* Thu May 07 2026 Andrew Lukoshko - 5.14.0-611.54.2 -- xfrm: esp: avoid in-place decrypt on shared skb frags - -* Wed May 06 2026 Andrew Lukoshko - 5.14.0-611.54.1 +* Mon May 18 2026 Andrew Lukoshko - 5.14.0-611.55.1 - hpsa: bring back deprecated PCI ids #CFHack #CFHack2024 - mptsas: bring back deprecated PCI ids #CFHack #CFHack2024 - megaraid_sas: bring back deprecated PCI ids #CFHack #CFHack2024 @@ -3805,11 +3782,14 @@ fi - kernel/rh_messages.h: enable all disabled pci devices by moving to unmaintained -* Wed May 06 2026 Eduard Abdullin - 5.14.0-611.54.1 +* Mon May 18 2026 Eduard Abdullin - 5.14.0-611.55.1 - Use AlmaLinux OS secure boot cert - Debrand for AlmaLinux OS - Add KVM support for ppc64le +* Sat May 09 2026 CKI KWF Bot [5.14.0-611.55.1.el9_7] +- xfrm: esp: avoid in-place decrypt on shared skb frags (Sabrina Dubroca) [RHEL-174561] {CVE-2026-43284} + * Sat May 02 2026 CKI KWF Bot [5.14.0-611.54.1.el9_7] - crypto: algif_aead - snapshot IV for async AEAD requests (Vladislav Dronov) [RHEL-172201] - crypto: algif_aead - Fix minimum RX size check for decryption (Vladislav Dronov) [RHEL-172201]