NAK/cmt: Re: [SRU][N/P][PATCH v2 0/1] CVE-2025-39946

Tim Whisonant tim.whisonant at canonical.com
Thu Oct 16 00:45:16 UTC 2025 

On Wed, Oct 15, 2025 at 06:12:47PM +0200, Paolo Pisati wrote:
> On Tue, Oct 14, 2025 at 04:18:32PM -0700, Tim Whisonant wrote:
> > SRU Justification:
> > 
> > [Impact]
> > 
> > tls: make sure to abort the stream if headers are bogus
> > 
> > Normally we wait for the socket to buffer up the whole record
> > before we service it. If the socket has a tiny buffer, however,
> > we read out the data sooner, to prevent connection stalls.
> > Make sure that we abort the connection when we find out late
> > that the record is actually invalid. Retrying the parsing is
> > fine in itself but since we copy some more data each time
> > before we parse we can overflow the allocated skb space.
> > 
> > Constructing a scenario in which we're under pressure without
> > enough data in the socket to parse the length upfront is quite
> > hard. syzbot figured out a way to do this by serving us the header
> > in small OOB sends, and then filling in the recvbuf with a large
> > normal send.
> > 
> > Make sure that tls_rx_msg_size() aborts strp, if we reach
> > an invalid record there's really no way to recover.
> > 
> > [Fix]
> > 
> > Plucky:   cherry picked from upstream
> > Noble:    cherry picked from upstream
> > Jammy:    not affected
> > Focal:    not affected
> > Bionic:   not affected
> > Xenial:   not affected
> > Trusty:   not affected
> > 
> > [Test Plan]
> > 
> > Compile and boot tested.
> > 
> > [Where problems could occur]
> > 
> > The changes affect the net TLS stream parser. Issues might
> > arise as failures to decode encrypted streams while in
> > the state created by the syzbot check mentioned above.
> > 
> > [Notes]
> > 
> > v2 - Review of v1 discovered that the patch no longer applied
> > to the Plucky branch. v2 was created by rebasing the branch
> > and cherry-picking the fix commit to Plucky.
> > 
> > Jakub Kicinski (1):
> >   tls: make sure to abort the stream if headers are bogus
> > 
> >  net/tls/tls.h      |  1 +
> >  net/tls/tls_strp.c | 14 +++++++++-----
> >  net/tls/tls_sw.c   |  3 +--
> >  3 files changed, 11 insertions(+), 7 deletions(-)
> 
> Thanks for your patches Tim, but they are all missing the BugLink, can you send
> a V2?
> 
> Thanks.
> -- 
> bye,
> p.

Hi Paolo, do we need a BugLink for CVE's now? Sorry, I wasn't aware of
that. Which bug would we use?

Tim

More information about the kernel-team mailing list