]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
projects / thirdparty / kernel / linux.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 2b50ace) | patch
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg
authorDavid Howells <dhowells@redhat.com>
Fri, 15 May 2026 23:05:14 +0000 (00:05 +0100)
committerJakub Kicinski <kuba@kernel.org>
Wed, 20 May 2026 23:36:45 +0000 (16:36 -0700)
commitd2bc90cf6c75cb96d2ce549be6c35efa3099d25b
treeadd7e3f07bc1982e4d4901fb92713d579c966557tree | snapshot
parent2b50aceafe6606ea52ed42aadd1b4d44a188aadecommit | diff
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in recvmsg

This improves the fix for CVE-2026-43500.

Fix the pagecache corruption from in-place decryption of a DATA packet
transmitted locally by splice() by getting rid of the packet sharing in the
I/O thread and unconditionally extracting the packet content into a bounce
buffer in which the buffer is decrypted.  recvmsg() (or the kernel
equivalent) then copies the data from the bounce buffer to the destination
buffer.  The sk_buff then remains unmodified.

This has an additional advantage in that the packet is then arranged in the
buffer with the correct alignment required for the crypto algorithms to
process directly.  The performance of the crypto does seem to be a little
faster and, surprisingly, the unencrypted performance doesn't seem to
change much - possibly due to removing complexity from the I/O thread.

Yet another advantage is that the I/O thread doesn't have to copy packets
which would slow down packet distribution, ACK generation, etc..

The buffer belongs to the call and is allocated initially at 2K,
sufficiently large to hold a whole jumbo subpacket, but the buffer will be
increased in size if needed.  However, to take this work, MSG_PEEK may
cause a later packet to be decrypted into the buffer, in which case the
earlier one will need re-decrypting for a subsequent recvmsg().

Note that rx_pkt_offset may legitimately see 0 as a valid offset now, so
switch to using USHRT_MAX to indicate an invalid offset.

Note also that I would generally prefer to replace the buffers of the
current sk_buff with a new kmalloc'd buffer of the right size, ditching the
old data and frags as this makes the handling of MSG_PEEK easier and
removes the re-decryption issue, but this looks like quite a complicated
thing to achieve.  skb_morph() looks half way to what I want, but I don't
want to have to allocate a new sk_buff.

Fixes: d0d5c0cd1e71 ("rxrpc: Use skb_unshare() rather than skb_cow_data()")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: linux-afs@lists.infradead.org
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-3-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/rxrpc/ar-internal.h diff | blob | blame | history
net/rxrpc/call_event.c diff | blob | blame | history
net/rxrpc/call_object.c diff | blob | blame | history
net/rxrpc/insecure.c diff | blob | blame | history
net/rxrpc/recvmsg.c diff | blob | blame | history
net/rxrpc/rxgk.c diff | blob | blame | history
net/rxrpc/rxgk_common.h diff | blob | blame | history
net/rxrpc/rxkad.c diff | blob | blame | history
A mirror of Linus' kernel repository