Re: Linux 5.15.205

[Ben Hutchings]

On Fri, 2026-05-08 at 16:30 +0200, gregkh@xxxxxxxxxxxxxxxxxxx wrote:
> On Fri, May 08, 2026 at 04:07:31PM +0200, Massimiliano Pellizzer wrote:
> > On Fri, May 8, 2026 at 3:50 PM gregkh@xxxxxxxxxxxxxxxxxxx
> > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > > 
> > > On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > > > On Fri, May 8, 2026 at 2:44 PM gregkh@xxxxxxxxxxxxxxxxxxx
> > > > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > > > > 
> > > > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > > > Hi,
> > > > > > 
> > > > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > > > > 
> > > > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > > > > 
> > > > > > Would this need to be:
> > > > > > 
> > > > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > > > > 
> > > > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > > > > 
> > > > > Adding Ben who did the 5.10 backport so he can comment on this.
> > > > > 
> > > > > thanks,
> > > > > 
> > > > > greg k-h
> > > > > 
> > > > 
> > > > Hi,
> > > > 
> > > > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> > > > 
> > > > ```
> > > > $ ./run.sh
> > > > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > > > 'sick::0:0:<pad>:/:/bin/bash'
> > > > === Stage 2 — verify
> > > > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > > > === Stage 3 — su - sick (empty password via PAM nullok)
> > > > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > > > # uname -r
> > > > 5.15.205
> > > > ```
> > > > 
> > > 
> > > Does the patch below fix this up?
> > > 
> > > thanks,
> > > 
> > > greg k-h
> > > 
> > > ------------------
> > > 
> > > 
> > > diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> > > index 68509e1f89b5..5d8f8a5901bc 100644
> > > --- a/net/ipv4/ip_output.c
> > > +++ b/net/ipv4/ip_output.c
> > > @@ -1443,7 +1443,7 @@ ssize_t   ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> > >                         goto error;
> > >                 }
> > > 
> > > -               skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > +               skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > 
> > >                 if (skb->ip_summed == CHECKSUM_NONE) {
> > >                         __wsum csum;
> > 
> > Yes, this works.
> 
> Wait, is this also needed in the 6.1.y backport as well?
> 
> Ben, I'm guessing you tested the 6.1.y backport, right?

Yes, but on 6.1 the PoC never succeeded for me even without the patch. 
(On 5.10 and 6.12 it does.)  So unfortunately that testing could not
show whether my attempted fix was correct.

Sorry for screwing this one up.

Ben.

-- 
Ben Hutchings - Debian developer, member of kernel, installer and LTS
teams

Attachment: signature.asc
Description: This is a digitally signed message part