ACK: [SRU][R/Q/N/J][PATCH 0/4] CVE-2026-43284

Stefan Bader stefan.bader at canonical.com
Tue May 19 09:00:59 UTC 2026 

On 08/05/2026 17:42, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2026-43284
> 
> [ Impact ]
> 
> xfrm: esp: avoid in-place decrypt on shared skb frags
> 
> MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
> marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
> so later paths that may modify packet data can first make a private
> copy. The IPv4/IPv6 datagram append paths did not set this flag when
> splicing pages into UDP skbs.
> 
> That leaves an ESP-in-UDP packet made from shared pipe pages looking
> like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
> fast path for uncloned skbs without a frag_list and decrypts in place
> over data that is not owned privately by the skb.
> 
> Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
> TCP. Also make ESP input fall back to skb_cow_data() when the flag is
> present, so ESP does not decrypt externally backed frags in place.
> Private nonlinear skb frags still use the existing fast path.
> 
> This intentionally does not change ESP output. In esp_output_head(),
> the path that appends the ESP trailer to existing skb tailroom without
> calling skb_cow_data() is not reachable for nonlinear skbs:
> skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
> tailen is positive. Thus ESP output will either use the separate
> destination-frag path or fall back to skb_cow_data().
> 
> 
> [ Fix ]
> 
> For N/Q/R cherry pick fix commit from upstream:
> - f4c50a4034e6 xfrm: esp: avoid in-place decrypt on shared skb frags
> 
> For J cherry pick fix commit and followup from linux-5.15.y:
> - ab8b995323e52 xfrm: esp: avoid in-place decrypt on shared skb frags
> - fe785bb3a8096 xfrm: esp: ipv4: fix up flags setting
> 
> [ Test Plan ]
> 
> Compiled and boot tested.
> Tested using publicly available exploit.
> Tested using LTP ad-hoc test.
> 
> [ Regression Potential ]
> 
> The patch may cause unintended copy-on-write overhead,
> potentially degrading throughput for ESP-in-UDP workloads
> that previously used the zero-copy fast path.
> 
> [ Other Info ]
> 
> https://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
> 
> 

Acked-by: Stefan Bader <stefan.bader at canonical.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 52669 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260519/dcdfbfdf/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20260519/dcdfbfdf/attachment-0001.sig>

More information about the kernel-team mailing list