Skip to content

Commit 3f57685

Browse files
kerneltoastPlaidCat
authored andcommitted
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
cve CVE-2026-43500 commit-author Hyunwoo Kim <imv4bel@gmail.com> commit - commit-source https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel upstream-diff | The conn_event.c hunk is dropped entirely. Upstream wraps the conn->security->verify_response() call inside a new rxrpc_verify_response() function that copies non-linear skbs before in-place decryption. This kernel doesn't have that wrapper; the security op is called directly from rxrpc_process_event(), so there is no call site to patch. The call_event.c hunk applies as-is. The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE handler in rxrpc_verify_response() copy the skb to a linear one before calling into the security ops only when skb_cloned() is true. An skb that is not cloned but still carries paged fragments (skb->data_len != 0) falls through to the in-place decryption path, which binds the frag pages directly into the AEAD/skcipher SGL via skb_to_sgvec(). Extend the gate so that any skb with non-linear data is also copied, ensuring the security handler always operates on a fully linear skb. The OOM/trace handling already in place is reused. Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()") Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com> (cherry picked from commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b) Signed-off-by: Sultan Alsawaf <sultan@ciq.com>
1 parent 7066555 commit 3f57685

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

net/rxrpc/call_event.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -347,7 +347,7 @@ bool rxrpc_input_call_event(struct rxrpc_call *call, struct sk_buff *skb)
347347

348348
if (sp->hdr.type == RXRPC_PACKET_TYPE_DATA &&
349349
sp->hdr.securityIndex != 0 &&
350-
skb_cloned(skb)) {
350+
(skb_cloned(skb) || skb->data_len)) {
351351
/* Unshare the packet so that it can be
352352
* modified by in-place decryption.
353353
*/

0 commit comments

Comments
 (0)