NACK: [SRU][N/P][PATCH 0/1] CVE-2025-39946

[Massimiliano Pellizzer]

On Fri, 10 Oct 2025 at 20:27, Tim Whisonant <tim.whisonant at canonical.com> wrote:
>
> SRU Justification:
>
> [Impact]
>
> tls: make sure to abort the stream if headers are bogus
>
> Normally we wait for the socket to buffer up the whole record
> before we service it. If the socket has a tiny buffer, however,
> we read out the data sooner, to prevent connection stalls.
> Make sure that we abort the connection when we find out late
> that the record is actually invalid. Retrying the parsing is
> fine in itself but since we copy some more data each time
> before we parse we can overflow the allocated skb space.
>
> Constructing a scenario in which we're under pressure without
> enough data in the socket to parse the length upfront is quite
> hard. syzbot figured out a way to do this by serving us the header
> in small OOB sends, and then filling in the recvbuf with a large
> normal send.
>
> Make sure that tls_rx_msg_size() aborts strp, if we reach
> an invalid record there's really no way to recover.
>
> [Fix]
>
> Plucky:   applied Noble patch
> Noble:    cherry picked from upstream
> Jammy:    not affected
> Focal:    not affected
> Bionic:   not affected
> Xenial:   not affected
> Trusty:   not affected
>
> [Test Plan]
>
> Compile and boot tested.
>
> [Where problems could occur]
>
> The changes affect the net TLS stream parser. Issues might
> arise as failures to decode encrypted streams while in
> the state created by the syzbot check mentioned above.
>
> Jakub Kicinski (1):
>   tls: make sure to abort the stream if headers are bogus
>
>  net/tls/tls.h      |  1 +
>  net/tls/tls_strp.c | 14 +++++++++-----
>  net/tls/tls_sw.c   |  3 +--
>  3 files changed, 11 insertions(+), 7 deletions(-)
>
> --
> 2.43.0
>
>
> --
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

Plucky patch does not apply cleanly.

-- 
Massimiliano Pellizzer