git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	David Howells <dhowells@redhat.com>
	Fri, 15 May 2026 23:05:15 +0000 (00:05 +0100)
committer	Jakub Kicinski <kuba@kernel.org>
	Wed, 20 May 2026 23:36:45 +0000 (16:36 -0700)
commit	8bfab4b6ffc2fe92da86300728fc8c3c7ebffb56
tree	9ff4edd469803c829ad5e9cd4d94f73e685fc34e	tree \| snapshot
parent	d2bc90cf6c75cb96d2ce549be6c35efa3099d25b	commit \| diff

rxrpc: Fix RESPONSE packet verification to extract skb to a linear buffer

This improves the fix for CVE-2026-43500.

Fix the verification of RESPONSE packets to avoid the problem of
overwriting a RESPONSE packet sent via splice to a local address by
extracting the contents of the UDP packet into a kmalloc'd linear buffer
rather than decrypting the data in place in the sk_buff (which may corrupt
the original buffer).

Fixes: 24481a7f5733 ("rxrpc: Fix conn-level packet handling to unshare RESPONSE packets")
Reported-by: Hyunwoo Kim <imv4bel@gmail.com>
Closes: https://lore.kernel.org/r/afKV2zGR6rrelPC7@v4bel/
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Simon Horman <horms@kernel.org>
cc: Jiayuan Chen <jiayuan.chen@linux.dev>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
Tested-by: Marc Dionne <marc.dionne@auristor.com>
Link: https://patch.msgid.link/20260515230516.2718212-4-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

net/rxrpc/ar-internal.h		diff \| blob \| blame \| history
net/rxrpc/conn_event.c		diff \| blob \| blame \| history
net/rxrpc/insecure.c		diff \| blob \| blame \| history
net/rxrpc/rxgk.c		diff \| blob \| blame \| history
net/rxrpc/rxgk_app.c		diff \| blob \| blame \| history
net/rxrpc/rxgk_common.h		diff \| blob \| blame \| history
net/rxrpc/rxkad.c		diff \| blob \| blame \| history