APPLIED: [SRU][N/P][PATCH v2 0/1] CVE-2025-38616

Edoardo Canepa edoardo.canepa at canonical.com
Fri Oct 10 11:01:31 UTC 2025 

Applied to [plucky/noble]/master-next. Thanks.

On 9/27/25 02:15, Tim Whisonant wrote:
> SRU Justification:
>
> [Impact]
>
> tls: handle data disappearing from under the TLS ULP
>
> TLS expects that it owns the receive queue of the TCP socket.
> This cannot be guaranteed in case the reader of the TCP socket
> entered before the TLS ULP was installed, or uses some non-standard
> read API (eg. zerocopy ones). Replace the WARN_ON() and a buggy
> early exit (which leaves anchor pointing to a freed skb) with real
> error handling. Wipe the parsing state and tell the reader to retry.
>
> We already reload the anchor every time we (re)acquire the socket lock,
> so the only condition we need to avoid is an out of bounds read
> (not having enough bytes in the socket for previously parsed record len).
>
> If some data was read from under TLS but there's enough in the queue
> we'll reload and decrypt what is most likely not a valid TLS record.
> Leading to some undefined behavior from TLS perspective (corrupting
> a stream? missing an alert? missing an attack?) but no kernel crash
> should take place.
>
> [Fix]
>
> Plucky:   applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The changes appear in the TLS stream parsing logic.
> Issues might manifest as mal-formatted packets or packet
> errors.
>
> [Notes]
>
> v2 - the v1 incorrectly included a patch for Questing,
> which got that commit by other means. v2 removes the
> Questing patch.
>
> Jakub Kicinski (1):
>    tls: handle data disappearing from under the TLS ULP
>
>   net/tls/tls.h      |  2 +-
>   net/tls/tls_strp.c | 11 ++++++++---
>   net/tls/tls_sw.c   |  3 ++-
>   3 files changed, 11 insertions(+), 5 deletions(-)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x20F88172E14F6784.asc
Type: application/pgp-keys
Size: 3167 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/adf7ac55/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20251010/adf7ac55/attachment.sig>

More information about the kernel-team mailing list