e1dbabe6cc
net: skbuff: propagate shared-frag marker through frag-transfer helpers Replace 553.124.2's partial fix (which was a backport of Hyunwoo Kim's v1 patch covering only __pskb_copy_fclone() and skb_try_coalesce()) with a backport of the upstream v3 patch: https://lore.kernel.org/all/agW4vC0r8QOUKtRT@v4bel/ v3 also covers skb_shift() (the new hunk added in v2) and skb_gro_receive() / skb_gro_receive_list() (the audit follow-up suggested by Sultan Alsawaf in agVpIsaSherjHTYg@sultan-box). All five sites moved frag descriptors between skbs without propagating the SKBFL_SHARED_FRAG marker (SKBTX_SHARED_FRAG on 4.18), so destinations could end up referencing externally-owned or page-cache-backed pages while reporting skb_has_shared_frag() as false. Combined with ESP-over-UDP and UDP GRO, or any nf_dup_ipv4 / xt_TEE caller, this lets an unprivileged user trigger in-place ESP decryption over root-owned page-cache pages (CVE-2026-46300, "Fragnesia"). Tree-adapted to the 4.18 kernel: SKBFL_SHARED_FRAG / shinfo->flags back to the legacy SKBTX_SHARED_FRAG / shinfo->tx_flags, and skb_gro_receive() / skb_gro_receive_list() targeting net/core/skbuff.c since the net/core/gro.c split (upstream v5.19) is not in 4.18. |
||
|---|---|---|
| .. | ||
| kernel.spec | ||