NACK: [SRU][N/P][PATCH 0/1] CVE-2025-39946

Tim Whisonant tim.whisonant at canonical.com
Tue Oct 14 23:17:18 UTC 2025 

On Mon, Oct 13, 2025 at 10:41:23AM +0200, Massimiliano Pellizzer wrote:
> On Fri, 10 Oct 2025 at 20:27, Tim Whisonant <tim.whisonant at canonical.com> wrote:
> >
> > SRU Justification:
> >
> > [Impact]
> >
> > tls: make sure to abort the stream if headers are bogus
> >
> > Normally we wait for the socket to buffer up the whole record
> > before we service it. If the socket has a tiny buffer, however,
> > we read out the data sooner, to prevent connection stalls.
> > Make sure that we abort the connection when we find out late
> > that the record is actually invalid. Retrying the parsing is
> > fine in itself but since we copy some more data each time
> > before we parse we can overflow the allocated skb space.
> >
> > Constructing a scenario in which we're under pressure without
> > enough data in the socket to parse the length upfront is quite
> > hard. syzbot figured out a way to do this by serving us the header
> > in small OOB sends, and then filling in the recvbuf with a large
> > normal send.
> >
> > Make sure that tls_rx_msg_size() aborts strp, if we reach
> > an invalid record there's really no way to recover.
> >
> > [Fix]
> >
> > Plucky:   applied Noble patch
> > Noble:    cherry picked from upstream
> > Jammy:    not affected
> > Focal:    not affected
> > Bionic:   not affected
> > Xenial:   not affected
> > Trusty:   not affected
> >
> > [Test Plan]
> >
> > Compile and boot tested.
> >
> > [Where problems could occur]
> >
> > The changes affect the net TLS stream parser. Issues might
> > arise as failures to decode encrypted streams while in
> > the state created by the syzbot check mentioned above.
> >
> > Jakub Kicinski (1):
> >   tls: make sure to abort the stream if headers are bogus
> >
> >  net/tls/tls.h      |  1 +
> >  net/tls/tls_strp.c | 14 +++++++++-----
> >  net/tls/tls_sw.c   |  3 +--
> >  3 files changed, 11 insertions(+), 7 deletions(-)
> >
> > --
> > 2.43.0
> >
> >
> > --
> > kernel-team mailing list
> > kernel-team at lists.ubuntu.com
> > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> 
> Plucky patch does not apply cleanly.
> 
> -- 
> Massimiliano Pellizzer
> 

Sorry about that. I will send a v2.

More information about the kernel-team mailing list