[Bug 2155609] Re: net/tls: Three upstream fixes without CVE missing from Ubuntu 6.8.0-124-generic

** Changed in: linux (Ubuntu) Assignee: (unassigned) => Cengiz Can (cengizcan) ** Changed in: linux (Ubuntu) Status: New => In Progress ** Changed in: linux (Ubuntu) Importance: Undecided => Medium ** Also affects: linux (Ubuntu Noble) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Noble) Status: New => In Progress ** Changed in: linux (Ubuntu Noble) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Noble) Assignee: (unassigned) => Cengiz Can (cengizcan) -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2155609 Title: net/tls: Three upstream fixes without CVE missing from Ubuntu 6.8.0-124-generic Status in linux package in Ubuntu: In Progress Status in linux source package in Noble: In Progress Bug description: == Summary == During source code analysis of Ubuntu 6.8.0-124-generic, 3 upstream security fixes in net/tls/tls_sw.c were found missing. None of these fixes have been assigned a CVE. == Environment == Kernel: 6.8.0-124-generic Package: linux-source-6.8.0 (apt) Verification method: Source diff vs upstream commits == Issue 1: Silent data drop under pipe back-pressure == Upstream fix: 7e7be31bfdb0 (2026-05-02) Author: Jakub Kicinski CVE: NOT ASSIGNED Vulnerable code (tls_sw.c line 2288-2290): if (chunk < rxm->full_len) { rxm->offset += len; rxm->full_len -= len; Required fix: if (copied < rxm->full_len) { rxm->offset += copied; rxm->full_len -= copied; Impact: When pipe is full during tls_sw_splice_read(), skb_splice_bits() returns copied < chunk. Ubuntu code advances rxm->offset by len instead of copied, silently skipping unread bytes. Causes data integrity violation in TLS RX splice path. == Issue 2: Off-by-one in sg_chain entry count == Upstream fix: 285943c6e7ca (2026-05-14) Author: Jakub Kicinski CVE: NOT ASSIGNED Reported by: 钱一铭 (yimingqian591@gmail.com) Vulnerable code (tls_sw.c line 803-804): sg_chain(&msg_pl->sg.data[msg_pl->sg.start], MAX_SKB_FRAGS - msg_pl->sg.start + 1, msg_pl->sg.data); Required fix: sg_chain(msg_pl->sg.data, ARRAY_SIZE(msg_pl->sg.data), msg_pl->sg.data); Impact: When sk_msg scatterlist ring wraps (sg.end < sg.start), wrong sg_chain index places chain pointer at data[MAX_SKB_FRAGS] instead of true last entry. Crypto engine receives invalid scatterlist, potential slab-out-of-bounds read/write. == Issue 3: chain-after-chain prevention in TLS 1.3 == Upstream fix: ff26a0e8377d (2026-05-14) Author: Jakub Kicinski CVE: NOT ASSIGNED Vulnerable code (tls_sw.c line 796): sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1, &rec->sg_content_type); Required fix: sg_chain(msg_pl->sg.data, i + 2, &rec->sg_content_type); Impact: SGL does not allow chain-after-chain. For TLS 1.3, wrong chain size when wrap entry exists causes invalid scatterlist for content_type byte, potential memory corruption in crypto path. == Verification == Commands to reproduce: sudo apt install linux-source-6.8.0 sudo tar xf /usr/src/linux-source-6.8.0/\ linux-source-6.8.0.tar.bz2 -C /tmp/ # Issue 1: grep -n "rxm->offset += len" \ /tmp/linux-source-6.8.0/net/tls/tls_sw.c # Expected: line 2289 (vulnerable) # Issue 2: grep -n "MAX_SKB_FRAGS - msg_pl->sg.start" \ /tmp/linux-source-6.8.0/net/tls/tls_sw.c # Expected: line 804 (vulnerable) # Issue 3: grep -n "sg.end + 1" \ /tmp/linux-source-6.8.0/net/tls/tls_sw.c # Expected: line 796 (vulnerable) == References == 7e7be31bfdb0: https://git.kernel.org/torvalds/c/7e7be31bfdb0 285943c6e7ca: https://git.kernel.org/torvalds/c/285943c6e7ca ff26a0e8377d: https://git.kernel.org/torvalds/c/ff26a0e8377d To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2155609/+subscriptions