Commit e1a0c4e
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
cve CVE-2026-43500
commit-author Hyunwoo Kim <imv4bel@gmail.com>
commit -
commit-source https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel
upstream-diff |
The conn_event.c hunk is dropped entirely. Upstream wraps the
conn->security->verify_response() call inside a new
rxrpc_verify_response() function that copies non-linear skbs before
in-place decryption. This kernel doesn't have that wrapper; the
security op is called directly from rxrpc_process_event(), so there
is no call site to patch. The call_event.c hunk applies as-is.
The DATA-packet handler in rxrpc_input_call_event() and the RESPONSE
handler in rxrpc_verify_response() copy the skb to a linear one before
calling into the security ops only when skb_cloned() is true. An skb
that is not cloned but still carries paged fragments (skb->data_len != 0)
falls through to the in-place decryption path, which binds the frag
pages directly into the AEAD/skcipher SGL via skb_to_sgvec().
Extend the gate so that any skb with non-linear data is also copied,
ensuring the security handler always operates on a fully linear skb.
The OOM/trace handling already in place is reused.
Fixes: d0d5c0c ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
(cherry picked from commit 544687651fe57721c5e4e76380ed8ef8fdfdc98b)
Signed-off-by: Sultan Alsawaf <sultan@ciq.com>1 parent eef2685 commit e1a0c4e
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
347 | 347 | | |
348 | 348 | | |
349 | 349 | | |
350 | | - | |
| 350 | + | |
351 | 351 | | |
352 | 352 | | |
353 | 353 | | |
| |||
0 commit comments