Merge pull request 'Apply Fragnesia and ssh-keygen-pwn fixes' (#40) from metalefty/raspberrypi:a9 into a9

Reviewed-on: #40

SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch

@@ -0,0 +1,64 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy()
+
+Backport of upstream patch posted at
+https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/
+(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6,
+already merged into 6.12.0-124.56.1 via the c10s import).
+
+__pskb_copy_fclone() shallow-copies the source's frag descriptors and
+bumps each page's refcount via skb_frag_ref(), then defers the rest
+of the shinfo metadata to skb_copy_header().  That helper only carries
+over gso_{size,segs,type} and never touches skb_shinfo()->flags, so
+the destination skb keeps a reference to the same externally-owned or
+page-cache-backed pages while reporting skb_has_shared_frag() as
+false.
+
+The mismatch is harmful in any in-place writer that uses
+skb_has_shared_frag() to decide whether shared pages must be detoured
+through skb_cow_data().  ESP input is one such writer (esp4.c,
+esp6.c), and a single nft 'dup to <local>' rule -- or any other
+nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d
+skb in esp_input() with the marker stripped, letting an unprivileged
+user write into the page cache of a root-owned read-only file via
+authencesn-ESN stray writes.
+
+Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors
+were actually moved from the source.  skb_copy() and skb_copy_expand()
+share skb_copy_header() too but linearize all paged data into freshly
+allocated head storage and emerge with nr_frags == 0, so
+skb_has_shared_frag() returns false on its own; they need no change.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.56.1.el10_1.
+
+Fixes: cef401de7be8 ("net: fix possible wrong checksum generation")
+Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags")
+Reported-by: William Bowling <vakzz@zellic.io>
+Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ net/core/skbuff.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom,
+ 			skb_frag_ref(skb, i);
+ 		}
+ 		skb_shinfo(n)->nr_frags = i;
++		skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG;
+ 	}
+
+ 	if (skb_has_frag_list(skb)) {
+@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from,
+ 	       from_shinfo->frags,
+ 	       from_shinfo->nr_frags * sizeof(skb_frag_t));
+ 	to_shinfo->nr_frags += from_shinfo->nr_frags;
++	if (from_shinfo->nr_frags)
++		to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG;
+
+ 	if (!skb_cloned(from))
+ 		from_shinfo->nr_frags = 0;
+--
+2.43.0

SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch

@@ -0,0 +1,55 @@
+From: Andrew Lukoshko <alukoshko@almalinux.org>
+Subject: [PATCH AlmaLinux 10] ptrace: require CAP_SYS_PTRACE when task has no mm
+
+kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd
+("ptrace: slightly saner 'get_dumpable()' logic") posted at
+https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a
+
+The upstream fix adds a 'user_dumpable:1' bit to task_struct and
+caches the last dumpability in exit_mm() so __ptrace_may_access()
+can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel
+threads or already-exited user tasks). That layout change to
+task_struct breaks kABI on AlmaLinux 10 (the symtype
+signature of struct task_struct is referenced by hundreds of
+stablelist exports), so we cannot import the field/exit_mm hunks
+as-is.
+
+Take the minimal kABI-safe slice instead: when task->mm == NULL,
+require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes
+the Qualys Security Advisory hole -- mm-less targets no longer pass
+the dumpability check by default -- without touching task_struct or
+exit.c. The only behavioural delta versus upstream is that a user
+task that has already cleared its mm in exit_mm() (a dying/zombie
+task) now also requires CAP_SYS_PTRACE to attach, instead of being
+remembered as previously dumpable. Such targets are rarely ptraced
+in practice.
+
+Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects)
+against kernel-6.12.0-124.56.1.el10_1.
+
+Reported-by: Qualys Security Advisory <qsa@qualys.com>
+Signed-off-by: Andrew Lukoshko <alukoshko@almalinux.org>
+---
+ kernel/ptrace.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/kernel/ptrace.c
++++ b/kernel/ptrace.c
+@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode)
+ 	smp_rmb();
+ 	mm = task->mm;
+-	if (mm &&
+-	    ((get_dumpable(mm) != SUID_DUMP_USER) &&
+-	     !ptrace_has_cap(mm->user_ns, mode)))
+-	    return -EPERM;
++	if (mm) {
++		if ((get_dumpable(mm) != SUID_DUMP_USER) &&
++		    !ptrace_has_cap(mm->user_ns, mode))
++			return -EPERM;
++	} else if (!ptrace_has_cap(&init_user_ns, mode)) {
++		return -EPERM;
++	}
+ 
+ 	return security_ptrace_access_check(task, mode);
+--
+2.43.0

SPECS/raspberrypi2.spec

@@ -11,7 +11,7 @@ ExclusiveArch: aarch64
 
 %define local_version v8
 %define bcmmodel 2711
-%define extra_version 5
+%define extra_version 6
 
 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now.
 # Be careful to change this not to disturb the seamless package update.
@@ -52,11 +52,16 @@ Source2000:    cpupower.service
 Source2001:    cpupower.config
 Source2002:    kvm_stat.logrotate
 # AlmaLinux patches
-## CVE-2026-31431
+## CVE-2026-31431: Copy Fail
 Patch1100:     1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch
-## Dirty Frag
+## CVE-2026-43284: Dirty Frag
 Patch1101:     1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch
+## CVE-2026-43500 Dirty Frag
 Patch1102:     1102-rxrpc-linearize-paged-frags.patch
+## CVE-2026-46300: Fragnesia
+Patch1103:     1103-net-skbuff-propagate-shared-frag-marker.patch 
+## CVE-2026-46333: ssh-keysign-pwn
+Patch1104:     1104-ptrace-require-cap-on-mm-less-task.patch
 
 BuildRequires: kmod, patch, bash, coreutils, tar
 BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk
@@ -239,6 +244,8 @@ glibc package.
 %patch -P 1100 -p1
 %patch -P 1101 -p1
 %patch -P 1102 -p1
+%patch -P 1103 -p1
+%patch -P 1104 -p1
 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile
 perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig
 perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig
@@ -543,9 +550,13 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc
 %endif
 
 %changelog
+* Thu May 14 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.6
+- net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300}
+- ptrace: require CAP_SYS_PTRACE when task has no mm {CVE-2026-46333}
+
 * Fri May 08 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.5
-- rxrpc: linearize incoming DATA packet when it has paged frags
-- xfrm: esp: avoid in-place decrypt on shared skb frags
+- rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500}
+- xfrm: esp: avoid in-place decrypt on shared skb frags {CVE-2026-43284}
 
 * Thu Apr 30 2026 Koichiro Iwao <meta@almalinux.org> - 6.12.47-20250916.v8.4
 - Update CVE-2026-31431 patch to include more upstream commits