[Devel] [PATCH vz10 0/4] CVE-2026-43500: backport rxrpc "Dirty Frag" fix
Pavel Tikhomirov
ptikhomirov at virtuozzo.com
Thu Jun 18 12:55:35 MSK 2026
Reviewed-by: Pavel Tikhomirov <ptikhomirov at virtuozzo.com>
On 6/17/26 22:49, Konstantin Khorenko wrote:
> This series backports the upstream fix for CVE-2026-43500 ("Dirty Frag")
> into the vz10 kernel (rh10-6.12.0-211.16.1.x.vz10).
>
> What the bug is
> ---------------
> rxrpc decrypts secured DATA/RESPONSE packets in place. An sk_buff that is
> not cloned but still carries externally-owned paged fragments - e.g.
> SKBFL_SHARED_FRAG set by splice() into a UDP socket via __ip_append_data(),
> or a chained skb_has_frag_list() - falls through to the in-place decryption
> path, which binds the frag pages directly into the AEAD/skcipher SGL via
> skb_to_sgvec(). A low-privileged local attacker can use the splice-loopback
> vector to make rxrpc decrypt over pages it does not privately own,
> corrupting page-cache contents - a building block for local privilege
> escalation.
>
> Why we have to carry it, while Red Hat marks the kernel "Not affected"
> ----------------------------------------------------------------------
> Red Hat rates RHEL 10 kernel as "Not affected" for CVE-2026-43500. Their
> rationale is packaging, not code: the vulnerable rxrpc code is present in
> the source, but "the binary RPMs that provide this module are not shipped
> or supported by Red Hat", and the module is not installed by default. RHEL
> keeps rxrpc out of the supported, shipped module set.
>
> That reasoning does not carry over to us:
>
> - vz10 builds CONFIG_AF_RXRPC=m (and CONFIG_RXKAD=y), same as RHEL, so the
> vulnerable code is compiled.
> - In our packaging (def_variants.yaml.rhel, inherited verbatim from RHEL)
> net/rxrpc/* maps to "modules-partner", and kernel-modules-partner is a
> real, shippable sub-package - not the unshipped kernel-modules-internal
> that RHEL's "Not affected" relies on.
> - There is no mod-denylist entry blocking rxrpc, and
> MODULE_ALIAS_NETPROTO(PF_RXRPC) means an unprivileged socket(AF_RXRPC,
> ...) auto-loads af_rxrpc.ko if it is present on disk.
>
> So wherever kernel-modules-partner is installed, the CVE is locally
> reachable. Hence we fix the code rather than rely on a "we don't ship it"
> verdict. AF_RXRPC sockets are not netns/VE-isolated, so the vector is also
> reachable from inside a container.
>
> Why exactly 4 patches
> ---------------------
> The actual fix for CVE-2026-43500 is patch 4 (aa54b1d27fe0), with patch 2
> (24481a7f5733) providing the RESPONSE-side helper it extends. But both
> depend on infrastructure vz10 did not have, so two more upstream commits
> are required to land them cleanly and correctly:
>
> 1. ms/rxrpc: Fix potential UAF after skb_unshare() failure (1f2740150f90)
> Prerequisite. vz10 lacked this commit (verified: its trace enums
> rxrpc_skb_put_response_copy / rxrpc_skb_see_unshare_nomem were absent).
> It also moves the in-place-decryption unshare from io_thread.c into
> rxrpc_input_call_event(), which is the location patches 3 and 4 build
> on. Without it the helper in patch 2 fails to build.
>
> 2. ms/rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
> (24481a7f5733) - adds rxrpc_verify_response(); patch 4 extends its
> gate.
>
> 3. ms/rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
> (55b2984c96c3) - follow-up that Fixes: patch 1; restores the
> DATA-packet-only condition on the unshare gate (so ACK/ABORT packets
> are not needlessly copied).
>
> 4. ms/rxrpc: Also unshare DATA/RESPONSE packets when paged frags are
> present (aa54b1d27fe0) - the CVE-2026-43500 fix proper: extends the
> gate from skb_cloned() to also cover skb_has_frag_list() /
> skb_has_shared_frag(), catching the splice-loopback vector.
>
> The patches are ordered exactly as in mainline. Only patch 2 needed a
> manual conflict resolution (mainline has an unrelated early
> spin_lock_irq(&conn->state_lock) state-check before the verify call that
> vz10 does not have; we kept the vz10 structure and applied only this
> patch's change). Patches 1, 3 and 4 applied cleanly.
>
> What is deliberately NOT included
> ---------------------------------
> Upstream later reworked the decrypt path to extract packet data into a
> bounce buffer instead of copying the skb (8bfab4b6ffc2, d2bc90cf6c75,
> 16c8ae9735c5, all "improves the fix for CVE-2026-43500"). Those are
> performance/robustness improvements, not required to close the hole - the
> copy-based fix in this series is exactly what mainline shipped first and
> what the stable trees backported. They also conflict heavily in the
> rxkad/rxgk crypto classes and would pull in further dependencies, so they
> are left out of this CVE backport and can be done separately if we decide
> to track mainline for the rxrpc decrypt path.
>
> https://virtuozzo.atlassian.net/browse/VSTOR-131094
>
> David Howells (3):
> ms/rxrpc: Fix potential UAF after skb_unshare() failure
> ms/rxrpc: Fix conn-level packet handling to unshare RESPONSE packets
> ms/rxrpc: Fix rxrpc_input_call_event() to only unshare DATA packets
>
> Hyunwoo Kim (1):
> ms/rxrpc: Also unshare DATA/RESPONSE packets when paged frags are
> present
>
> include/trace/events/rxrpc.h | 4 ++--
> net/rxrpc/ar-internal.h | 1 -
> net/rxrpc/call_event.c | 22 +++++++++++++++++++++-
> net/rxrpc/conn_event.c | 30 +++++++++++++++++++++++++++++-
> net/rxrpc/io_thread.c | 24 ++----------------------
> net/rxrpc/skbuff.c | 9 ---------
> 6 files changed, 54 insertions(+), 36 deletions(-)
>
> --
> 2.43.0
>
--
Best regards, Pavel Tikhomirov
Senior Software Developer, Virtuozzo.
More information about the Devel
mailing list