From d74ea96f7716440a3a66a334bafa06dc9072e3a3 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Fri, 15 May 2026 04:06:05 +0000 Subject: [PATCH 1/2] Apply Fragnesia fixes (cherry picked from commit 527de344c793b3595a926483918b907153330bd9) --- ...-skbuff-propagate-shared-frag-marker.patch | 64 +++++++++++++++++++ SPECS/raspberrypi2.spec | 17 +++-- 2 files changed, 76 insertions(+), 5 deletions(-) create mode 100644 SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch diff --git a/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch b/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch new file mode 100644 index 0000000..03b8c53 --- /dev/null +++ b/SOURCES/1103-net-skbuff-propagate-shared-frag-marker.patch @@ -0,0 +1,64 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] net: skbuff: propagate shared-frag marker through pskb_copy() + +Backport of upstream patch posted at +https://lore.kernel.org/all/agRfuVOeMI5pbHhY@v4bel/ +(sibling to the xfrm/esp shared-frag fix upstream commit f4c50a4034e6, +already merged into 6.12.0-124.56.1 via the c10s import). + +__pskb_copy_fclone() shallow-copies the source's frag descriptors and +bumps each page's refcount via skb_frag_ref(), then defers the rest +of the shinfo metadata to skb_copy_header(). That helper only carries +over gso_{size,segs,type} and never touches skb_shinfo()->flags, so +the destination skb keeps a reference to the same externally-owned or +page-cache-backed pages while reporting skb_has_shared_frag() as +false. + +The mismatch is harmful in any in-place writer that uses +skb_has_shared_frag() to decide whether shared pages must be detoured +through skb_cow_data(). ESP input is one such writer (esp4.c, +esp6.c), and a single nft 'dup to ' rule -- or any other +nf_dup_ipv4() / xt_TEE caller -- is enough to land a pskb_copy()'d +skb in esp_input() with the marker stripped, letting an unprivileged +user write into the page cache of a root-owned read-only file via +authencesn-ESN stray writes. + +Set SKBFL_SHARED_FRAG on the destination whenever frag descriptors +were actually moved from the source. skb_copy() and skb_copy_expand() +share skb_copy_header() too but linearize all paged data into freshly +allocated head storage and emerge with nr_frags == 0, so +skb_has_shared_frag() returns false on its own; they need no change. + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.56.1.el10_1. + +Fixes: cef401de7be8 ("net: fix possible wrong checksum generation") +Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") +Reported-by: William Bowling +Reported-by: Hyunwoo Kim +Signed-off-by: Andrew Lukoshko +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2123,6 +2123,7 @@ struct sk_buff *__pskb_copy_fclone(struct sk_buff *skb, int headroom, + skb_frag_ref(skb, i); + } + skb_shinfo(n)->nr_frags = i; ++ skb_shinfo(n)->flags |= skb_shinfo(skb)->flags & SKBFL_SHARED_FRAG; + } + + if (skb_has_frag_list(skb)) { +@@ -6028,6 +6029,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + from_shinfo->frags, + from_shinfo->nr_frags * sizeof(skb_frag_t)); + to_shinfo->nr_frags += from_shinfo->nr_frags; ++ if (from_shinfo->nr_frags) ++ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG; + + if (!skb_cloned(from)) + from_shinfo->nr_frags = 0; +-- +2.43.0 diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index 0b875d0..c68ce9a 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -11,7 +11,7 @@ ExclusiveArch: aarch64 %define local_version v8 %define bcmmodel 2711 -%define extra_version 5 +%define extra_version 6 # This originally implies Kernel 4.x for RPi 2 and is not appropriate now. # Be careful to change this not to disturb the seamless package update. @@ -52,11 +52,14 @@ Source2000: cpupower.service Source2001: cpupower.config Source2002: kvm_stat.logrotate # AlmaLinux patches -## CVE-2026-31431 +## CVE-2026-31431: Copy Fail Patch1100: 1100-CVE-2026-31431-crypto-Copy-Fail-fixes.patch -## Dirty Frag +## CVE-2026-43284: Dirty Frag Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch +## CVE-2026-43500 Dirty Frag Patch1102: 1102-rxrpc-linearize-paged-frags.patch +## CVE-2026-46300: Fragnesia +Patch1103: 1103-net-skbuff-propagate-shared-frag-marker.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -239,6 +242,7 @@ glibc package. %patch -P 1100 -p1 %patch -P 1101 -p1 %patch -P 1102 -p1 +%patch -P 1103 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -543,9 +547,12 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %endif %changelog +* Thu May 14 2026 Koichiro Iwao - 6.12.47-20250916.v8.6 +- net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300} + * Fri May 08 2026 Koichiro Iwao - 6.12.47-20250916.v8.5 -- rxrpc: linearize incoming DATA packet when it has paged frags -- xfrm: esp: avoid in-place decrypt on shared skb frags +- rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500} +- xfrm: esp: avoid in-place decrypt on shared skb frags {CVE-2026-43284} * Thu Apr 30 2026 Koichiro Iwao - 6.12.47-20250916.v8.4 - Update CVE-2026-31431 patch to include more upstream commits From 95e2efd89c60e946ff81e44dc502c0f4d7816373 Mon Sep 17 00:00:00 2001 From: Koichiro Iwao Date: Mon, 18 May 2026 05:40:22 +0000 Subject: [PATCH 2/2] Apply ssh-keysign-pwn fix (cherry picked from commit 1b378ac0765b0d699601c17562fa8683d235ff14) --- ...4-ptrace-require-cap-on-mm-less-task.patch | 55 +++++++++++++++++++ SPECS/raspberrypi2.spec | 4 ++ 2 files changed, 59 insertions(+) create mode 100644 SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch diff --git a/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch b/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch new file mode 100644 index 0000000..762151e --- /dev/null +++ b/SOURCES/1104-ptrace-require-cap-on-mm-less-task.patch @@ -0,0 +1,55 @@ +From: Andrew Lukoshko +Subject: [PATCH AlmaLinux 10] ptrace: require CAP_SYS_PTRACE when task has no mm + +kABI-safe AlmaLinux backport of upstream commit 31e62c2ebbfd +("ptrace: slightly saner 'get_dumpable()' logic") posted at +https://github.com/torvalds/linux/commit/31e62c2ebbfdc3fe3dbdf5e02c92a9dc67087a3a + +The upstream fix adds a 'user_dumpable:1' bit to task_struct and +caches the last dumpability in exit_mm() so __ptrace_may_access() +can require CAP_SYS_PTRACE when the target has no mm (e.g. kernel +threads or already-exited user tasks). That layout change to +task_struct breaks kABI on AlmaLinux 10 (the symtype +signature of struct task_struct is referenced by hundreds of +stablelist exports), so we cannot import the field/exit_mm hunks +as-is. + +Take the minimal kABI-safe slice instead: when task->mm == NULL, +require CAP_SYS_PTRACE in init_user_ns unconditionally. This closes +the Qualys Security Advisory hole -- mm-less targets no longer pass +the dumpability check by default -- without touching task_struct or +exit.c. The only behavioural delta versus upstream is that a user +task that has already cleared its mm in exit_mm() (a dying/zombie +task) now also requires CAP_SYS_PTRACE to attach, instead of being +remembered as previously dumpable. Such targets are rarely ptraced +in practice. + +Verified to apply with `patch -p1 -F0` (no offset, no fuzz, no rejects) +against kernel-6.12.0-124.56.1.el10_1. + +Reported-by: Qualys Security Advisory +Signed-off-by: Andrew Lukoshko +--- + kernel/ptrace.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -339,8 +339,11 @@ static int __ptrace_may_access(struct task_struct *task, unsigned int mode) + smp_rmb(); + mm = task->mm; +- if (mm && +- ((get_dumpable(mm) != SUID_DUMP_USER) && +- !ptrace_has_cap(mm->user_ns, mode))) +- return -EPERM; ++ if (mm) { ++ if ((get_dumpable(mm) != SUID_DUMP_USER) && ++ !ptrace_has_cap(mm->user_ns, mode)) ++ return -EPERM; ++ } else if (!ptrace_has_cap(&init_user_ns, mode)) { ++ return -EPERM; ++ } + + return security_ptrace_access_check(task, mode); +-- +2.43.0 diff --git a/SPECS/raspberrypi2.spec b/SPECS/raspberrypi2.spec index c68ce9a..bd98b32 100644 --- a/SPECS/raspberrypi2.spec +++ b/SPECS/raspberrypi2.spec @@ -60,6 +60,8 @@ Patch1101: 1101-xfrm-esp-avoid-in-place-decrypt-shared-skb-frags.patch Patch1102: 1102-rxrpc-linearize-paged-frags.patch ## CVE-2026-46300: Fragnesia Patch1103: 1103-net-skbuff-propagate-shared-frag-marker.patch +## CVE-2026-46333: ssh-keysign-pwn +Patch1104: 1104-ptrace-require-cap-on-mm-less-task.patch BuildRequires: kmod, patch, bash, coreutils, tar BuildRequires: bzip2, xz, findutils, gzip, m4, perl, perl-Carp, make, diffutils, gawk @@ -243,6 +245,7 @@ glibc package. %patch -P 1101 -p1 %patch -P 1102 -p1 %patch -P 1103 -p1 +%patch -P 1104 -p1 perl -p -i -e "s/^EXTRAVERSION.*/EXTRAVERSION = -%{release}/" Makefile perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2711_defconfig perl -p -i -e "s/^CONFIG_LOCALVERSION=.*/CONFIG_LOCALVERSION=/" arch/%{Arch}/configs/bcm2712_defconfig @@ -549,6 +552,7 @@ cp $(ls -1 /boot/config-kernel-*-*|sort -V|tail -1) /boot/config-kernel.inc %changelog * Thu May 14 2026 Koichiro Iwao - 6.12.47-20250916.v8.6 - net: skbuff: propagate shared-frag marker through pskb_copy() {CVE-2026-46300} +- ptrace: require CAP_SYS_PTRACE when task has no mm {CVE-2026-46333} * Fri May 08 2026 Koichiro Iwao - 6.12.47-20250916.v8.5 - rxrpc: linearize incoming DATA packet when it has paged frags {CVE-2026-43500}