Patch kernel: backport ipv6 fraggap OOB-write fix (torvalds/linux@736b380e)#17848
Patch kernel: backport ipv6 fraggap OOB-write fix (torvalds/linux@736b380e)#17848omkhar wants to merge 2 commits into
Conversation
|
@microsoft-github-policy-service agree |
a10ac51 to
b8d4e25
Compare
…b380e) Backport upstream torvalds/linux@736b380 ("ipv6: account for fraggap on the paged allocation path"), which fixes an out-of-bounds write in __ip6_append_data(). On the paged-allocation branch alloclen/pagedlen are computed without accounting for fraggap, so when fraggap != 0 the linear skb area is undersized and the carried-over bytes are copied past skb->end into the trailing skb_shared_info. An unprivileged user can trigger this via a corked UDPv6 socket using MSG_SPLICE_PAGES. The fix adds fraggap to alloclen and subtracts it from pagedlen, and drops the now-stale MSG_SPLICE_PAGES exception in the negative-copy check. Wire-validated on Azure Linux 3.0 6.6.143.1 (KASAN build): the OOB-write reproduced 10/10 on the unpatched kernel (write 8 bytes past skb->end) and 0/10 on the patched kernel (the linear allocation is enlarged by fraggap so the copy lands in-bounds). Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com>
b8d4e25 to
a245fbc
Compare
|
Requesting fast-track / expedited consideration for this backport. This The upstream fix (torvalds/linux@736b380e) is not yet in |
|
Maintainer's call: while the published POC is for ipv6, you may consider adding the ipv4 fix as well for completeness. Full series here https://lore.kernel.org/all/ajFQn6yh43eDeQm9@DESKTOP-19IMU7U.localdomain/ Let me know if you'd like me to revise the spec to include both. |
|
Thanks for the thorough write-up and validation work @omkhar. On the changes themselves, As for the patch, it looks like this will be picked up in 6.6.144 https://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git/tree/queue-6.6/ipv6-account-for-fraggap-on-the-paged-allocation-path.patch. We're evaluating whether to take this as a spec patch or cherry-pick into the kernel source repo instead. Will follow up once we have a decision — appreciate your patience. |
kernel-ipe is part of the kernel spec entanglement group but is not covered by the CI Spec Entanglement Mismatch Check. Bump Release 1 -> 2 and add a %changelog entry to match the rest of the family for the ipv6 fraggap OOB-write fix (torvalds/linux@736b380e28d0).
|
Thanks @rlmenge — good catch on Totally your call on spec patch vs. cherry-pick into the kernel source repo — happy to rework it whichever way you land. And since this is queued for 6.6.144, I'm equally happy to just close this and let the The ipv4 sibling from the same series is still on offer too — say the word and I'll fold it into whichever route you choose. |
Backport upstream fix for the IPv6 fraggap out-of-bounds write in
__ip6_append_data()(no CVE assigned upstream as of 2026-06-29).Upstream commit: torvalds/linux@736b380
Author: Wongi Lee qw3rtyp0@gmail.com, Jungwoo Lee jwlee2217@gmail.com
Reviewed-by: Ido Schimmel idosch@nvidia.com
Signed-off-by: Jakub Kicinski kuba@kernel.org
Fixes: 773ba4fe9104 ("ipv6: avoid partial copy for zc")
LKML thread: https://lore.kernel.org/all/ajFTqRljatR17fFy@DESKTOP-19IMU7U.localdomain/
The bug
On the paged-allocation branch of
__ip6_append_data()(MSG_MORE / NETIF_F_SG /large fraglen),
alloclen/pagedlenare computed asalloclen = fragheaderlen + transhdrlen; pagedlen = datalen - transhdrlen;.datalenalready includesfraggap, so whenfraggap != 0(a non-first skb carrying bytes over from theprevious skb) the linear skb area is undersized by
fraggapand the fraggap copywrites past
skb->endinto the trailingskb_shared_info. Introduced by773ba4fe9104 (v6.0); became reachable once ce650a166335 (v6.5) let MSG_SPLICE_PAGES
proceed past the previously-
-EINVALnegative-copycase. An unprivileged usercan trigger it via a corked UDPv6 socket using MSG_SPLICE_PAGES. Both gating
commits are present in 6.6.143.1, so Azure Linux 3.0 is affected.
The fix adds
fraggaptoalloclenand subtracts it frompagedlen, and removesthe now-stale MSG_SPLICE_PAGES exception in the negative-
copycheck.Vulnerable behaviour reproduced on Azure Linux 3.0 6.6.143.1
Built KASAN diagnostic kernels from the spec's exact source tag
(
rolling-lts/mariner-3/6.6.143.1, config matchingSPECS/kernel/config):6.6.143.1-fraggap-baseline+(unpatched) and-fraggap-fixed+(this patch).An unprivileged process (corked UDPv6 + two
splice/MSG_SPLICE_PAGES chunks over a640-byte type-4 SRH at IPV6_MTU 1280) corrupts
skb_shared_info. The witness isthe free-time crash when the corrupted
nr_frags/frag_listis walked onfinalize — a real KASAN report on the unmodified kernel:
Unpatched: 10/10 runs crash (GPF / KASAN null-ptr-deref in skb_release_data).
Patched: 0/10 runs (alloclen enlarged by fraggap; the copy lands in-bounds;
skb_shared_info is never corrupted).
Why no copy-site
KASAN: slab-out-of-bounds Write: the 8-byte overshoot landsin-object (the trailing
skb_shared_infosits betweenskb->endand thekmalloc-1024 object end), which KASAN does not poison — so the witnessable signal
is the downstream free-path null-ptr-deref, confirmed by live address
instrumentation (write at
skb->end+8baseline vs-1016in-bounds patched,10/10 -> 0/10). Both witnesses are deterministic. Full analysis in the validation
bundle (
kasan-mechanism-note.md).LTP regression (baseline vs patched, same run)
LTP 20260130 (kirk),
net.ipv6 net.ipv6_lib net.multicaston both kernels:Baseline: 127 passed, 0 failed, 0 broken, 7 skipped
Patched: 127 passed, 0 failed, 0 broken, 7 skipped
No passed→failed transitions. Subsystem coverage proven via a kprobe on
__ip6_append_data(6187× baseline / 8088× patched).Scope — the entangled kernel spec family
A kernel
Releasebump on Azure Linux 3.0 must keep the entangled spec family inlockstep (CI
Spec Entanglement Mismatch Check), so this is not a 2-filechange:
Release: 1 → 2+%changelogon the specs that build the kernel FROMSOURCE:
SPECS/kernel/kernel.specANDSPECS/kernel-64k/kernel-64k.spec(patching only
kernelwhile release-bumpingkernel-64kwould ship afake-fixed 64k release). The patch is verbatim upstream
git format-patch(trailers preserved), applied by the existing
%autosetup -p1.Release: 1 → 2+%changelogonly on the repackaging/headers siblings:kernel-uki,kernel-headers,kernel-signed,kernel-64k-signed,kernel-uki-signed.kernel-headerscascades intoCheck Manifests, so thekernel-headers/kernel-cross-headersNVR is bumped intoolkit/resources/manifests/package/{toolchain,pkggen_core}_{x86_64,aarch64}.txt.No
kernel.signatures.json/ cgmanifest / LICENSE-MAP change (those trackSourceN/licenses, unchanged;Source Signature Check (SPECS)passes withoutthem). 13 files total; all CI green.
Out-of-tree carry ahead of stable — justification (live PoC)
As of 2026-06-29 the fix is in torvalds/master but NOT yet in
linux-6.6.ystable.Requesting it ahead of stable because the bug has a working
local-privilege-escalation exploit: the
IPV6_FRAG_ESCAPEchain weaponizes thisexact fraggap OOB-write (corrupt
skb_shared_info->nr_frags→ page-UAF →dirty-pagetable → unprivileged container/root escape, demonstrated on the
6.12/el10 sibling), and the same unprivileged trigger + OOB-write are wire-proven
on this 6.6.143.1 kernel here. It is reachable by any unprivileged user via a
plain UDPv6 socket.
Promotion: merge to
3.0-dev→ publishes to3.0on the next cadence. CLA agreedvia the bot comment.
Checklist
git format-patch -1 736b380e(trailers preserved)