** Description changed: - == Summary == - During source code analysis of Ubuntu 6.8.0-124-generic, - 3 upstream security fixes in net/tls/tls_sw.c were found - missing. None of these fixes have been assigned a CVE. + [ Impact ] - == Environment == - Kernel: 6.8.0-124-generic - Package: linux-source-6.8.0 (apt) - Verification method: Source diff vs upstream commits + Three upstream net/tls bug fixes are missing from Noble (6.8.0, present + through 6.8.0-132.133). All three touch net/tls/tls_sw.c, affect only + kTLS sockets, and were not assigned a CVE upstream. They address data + integrity and memory safety issues in the TLS software path: - == Issue 1: Silent data drop under pipe back-pressure == - Upstream fix: 7e7be31bfdb0 (2026-05-02) - Author: Jakub Kicinski - CVE: NOT ASSIGNED + 1) Silent data drop under pipe back-pressure. + tls_sw_splice_read() advances rxm->offset / rxm->full_len by the + requested length instead of the number of bytes actually spliced + into the pipe. When the destination pipe cannot accept everything, + splice_to_pipe() returns fewer bytes than requested and the + difference is silently skipped, corrupting the TLS RX stream. - Vulnerable code (tls_sw.c line 2288-2290): - if (chunk < rxm->full_len) { - rxm->offset += len; - rxm->full_len -= len; + 2) Off-by-one in the sg_chain() entry count for a wrapped sk_msg ring. + When the sk_msg scatterlist ring wraps (sg.end < sg.start), the + chain pointer is placed one entry short of the true last entry, so + the crypto engine is handed a malformed scatterlist. - Required fix: - if (copied < rxm->full_len) { - rxm->offset += copied; - rxm->full_len -= copied; + 3) chain-after-chain in the plaintext SG path. + When the ring is empty (end == 0) the existing code emits a chain + link that points directly at another chain link. The scatterlist + API (sg_next) does not resolve consecutive chain links, so this is + illegal input to crypto. - Impact: When pipe is full during tls_sw_splice_read(), - skb_splice_bits() returns copied < chunk. - Ubuntu code advances rxm->offset by len instead - of copied, silently skipping unread bytes. - Causes data integrity violation in TLS RX splice path. + [ Fix ] - == Issue 2: Off-by-one in sg_chain entry count == - Upstream fix: 285943c6e7ca (2026-05-14) - Author: Jakub Kicinski - CVE: NOT ASSIGNED - Reported by: 钱一铭 (yimingqian591@gmail.com) + Clean cherry-picks of the following upstream commits, in order: - Vulnerable code (tls_sw.c line 803-804): - sg_chain(&msg_pl->sg.data[msg_pl->sg.start], - MAX_SKB_FRAGS - msg_pl->sg.start + 1, - msg_pl->sg.data); + 7e7be31bfdb0 ("net: tls: fix silent data drop under pipe back-pressure") + 285943c6e7ca ("net: tls: fix off-by-one in sg_chain entry count for + wrapped sk_msg ring") + ff26a0e8377d ("net: tls: prevent chain-after-chain in plain text SG") - Required fix: - sg_chain(msg_pl->sg.data, - ARRAY_SIZE(msg_pl->sg.data), - msg_pl->sg.data); + (1) fixes commit e062fe99cccd; (2) and (3) fix commit 9aaaa56845a0. + Both Fixes: targets are present in Noble. - Impact: When sk_msg scatterlist ring wraps - (sg.end < sg.start), wrong sg_chain index - places chain pointer at data[MAX_SKB_FRAGS] - instead of true last entry. - Crypto engine receives invalid scatterlist, - potential slab-out-of-bounds read/write. + [ Test Plan ] - == Issue 3: chain-after-chain prevention in TLS 1.3 == - Upstream fix: ff26a0e8377d (2026-05-14) - Author: Jakub Kicinski - CVE: NOT ASSIGNED + Build: CBD build cengiz-noble-a55bcaa0d741-8479 + amd64: BUILD-OK + arm64: BUILD-OK + armhf: BUILD-OK + ppc64el: BUILD-OK + s390x: BUILD-OK - Vulnerable code (tls_sw.c line 796): - sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1, - &rec->sg_content_type); + Boot: PASS (Kybele uvt-kvm boot test using the amd64 CBD artifacts) + Kernel: 6.8.0-132-generic + uname -v: #133 SMP PREEMPT_DYNAMIC Wed Jun 24 11:46:08 UTC 2026 - Required fix: - sg_chain(msg_pl->sg.data, i + 2, - &rec->sg_content_type); + [ Where Problems Could Occur ] - Impact: SGL does not allow chain-after-chain. - For TLS 1.3, wrong chain size when wrap entry - exists causes invalid scatterlist for - content_type byte, potential memory corruption - in crypto path. + The changes are confined to net/tls/tls_sw.c and only affect TLS + sockets that use the kernel TLS software path. A regression would + manifest as TLS send/receive failures or data corruption on kTLS + sockets; traffic that does not use kTLS is unaffected. - == Verification == - Commands to reproduce: + [ Other Info ] - sudo apt install linux-source-6.8.0 - sudo tar xf /usr/src/linux-source-6.8.0/\ - linux-source-6.8.0.tar.bz2 -C /tmp/ - - # Issue 1: - grep -n "rxm->offset += len" \ - /tmp/linux-source-6.8.0/net/tls/tls_sw.c - # Expected: line 2289 (vulnerable) - - # Issue 2: - grep -n "MAX_SKB_FRAGS - msg_pl->sg.start" \ - /tmp/linux-source-6.8.0/net/tls/tls_sw.c - # Expected: line 804 (vulnerable) - - # Issue 3: - grep -n "sg.end + 1" \ - /tmp/linux-source-6.8.0/net/tls/tls_sw.c - # Expected: line 796 (vulnerable) - - == References == - 7e7be31bfdb0: https://git.kernel.org/torvalds/c/7e7be31bfdb0 - 285943c6e7ca: https://git.kernel.org/torvalds/c/285943c6e7ca - ff26a0e8377d: https://git.kernel.org/torvalds/c/ff26a0e8377d + None of these commits carry a CVE upstream. They are pure upstream + cherry-picks with no Ubuntu-specific adaptations. -- You received this bug notification because you are subscribed to linux in Ubuntu. Matching subscriptions: Bgg, Bmail, Nb https://bugs.launchpad.net/bugs/2155609 Title: net/tls: Three upstream fixes without CVE missing from Ubuntu 6.8.0-124-generic Status in linux package in Ubuntu: In Progress Status in linux source package in Noble: In Progress Bug description: [ Impact ] Three upstream net/tls bug fixes are missing from Noble (6.8.0, present through 6.8.0-132.133). All three touch net/tls/tls_sw.c, affect only kTLS sockets, and were not assigned a CVE upstream. They address data integrity and memory safety issues in the TLS software path: 1) Silent data drop under pipe back-pressure. tls_sw_splice_read() advances rxm->offset / rxm->full_len by the requested length instead of the number of bytes actually spliced into the pipe. When the destination pipe cannot accept everything, splice_to_pipe() returns fewer bytes than requested and the difference is silently skipped, corrupting the TLS RX stream. 2) Off-by-one in the sg_chain() entry count for a wrapped sk_msg ring. When the sk_msg scatterlist ring wraps (sg.end < sg.start), the chain pointer is placed one entry short of the true last entry, so the crypto engine is handed a malformed scatterlist. 3) chain-after-chain in the plaintext SG path. When the ring is empty (end == 0) the existing code emits a chain link that points directly at another chain link. The scatterlist API (sg_next) does not resolve consecutive chain links, so this is illegal input to crypto. [ Fix ] Clean cherry-picks of the following upstream commits, in order: 7e7be31bfdb0 ("net: tls: fix silent data drop under pipe back-pressure") 285943c6e7ca ("net: tls: fix off-by-one in sg_chain entry count for wrapped sk_msg ring") ff26a0e8377d ("net: tls: prevent chain-after-chain in plain text SG") (1) fixes commit e062fe99cccd; (2) and (3) fix commit 9aaaa56845a0. Both Fixes: targets are present in Noble. [ Test Plan ] Build: CBD build cengiz-noble-a55bcaa0d741-8479 amd64: BUILD-OK arm64: BUILD-OK armhf: BUILD-OK ppc64el: BUILD-OK s390x: BUILD-OK Boot: PASS (Kybele uvt-kvm boot test using the amd64 CBD artifacts) Kernel: 6.8.0-132-generic uname -v: #133 SMP PREEMPT_DYNAMIC Wed Jun 24 11:46:08 UTC 2026 [ Where Problems Could Occur ] The changes are confined to net/tls/tls_sw.c and only affect TLS sockets that use the kernel TLS software path. A regression would manifest as TLS send/receive failures or data corruption on kTLS sockets; traffic that does not use kTLS is unaffected. [ Other Info ] None of these commits carry a CVE upstream. They are pure upstream cherry-picks with no Ubuntu-specific adaptations. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2155609/+subscriptions
Комментариев нет:
Отправить комментарий