{"id":2235136,"url":"http://patchwork.ozlabs.org/api/1.2/covers/2235136/?format=json","web_url":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177825404593.556137.16021374556820212124@tuxedo-infinitybook.public/","project":{"id":15,"url":"http://patchwork.ozlabs.org/api/1.2/projects/15/?format=json","name":"Ubuntu Kernel","link_name":"ubuntu-kernel","list_id":"kernel-team.lists.ubuntu.com","list_email":"kernel-team@lists.ubuntu.com","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<177825404593.556137.16021374556820212124@tuxedo-infinitybook.public>","list_archive_url":null,"date":"2026-05-08T15:42:45","name":"[SRU,R/Q/N/J,0/4] CVE-2026-43284","submitter":{"id":89057,"url":"http://patchwork.ozlabs.org/api/1.2/people/89057/?format=json","name":"Massimiliano Pellizzer","email":"massimiliano.pellizzer@canonical.com"},"mbox":"http://patchwork.ozlabs.org/project/ubuntu-kernel/cover/177825404593.556137.16021374556820212124@tuxedo-infinitybook.public/mbox/","series":[],"comments":"http://patchwork.ozlabs.org/api/covers/2235136/comments/","headers":{"Return-Path":"<kernel-team-bounces@lists.ubuntu.com>","X-Original-To":"incoming@patchwork.ozlabs.org","Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (4096-bit key;\n unprotected) header.d=canonical.com header.i=@canonical.com\n header.a=rsa-sha256 header.s=20251003 header.b=krxzIyRF;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com\n (client-ip=185.125.189.65; helo=lists.ubuntu.com;\n envelope-from=kernel-team-bounces@lists.ubuntu.com;\n receiver=patchwork.ozlabs.org)"],"Received":["from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4gBtgq5N3Cz1yJq\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 09 May 2026 01:43:35 +1000 (AEST)","from localhost ([127.0.0.1] helo=lists.ubuntu.com)\n\tby lists.ubuntu.com with esmtp (Exim 4.86_2)\n\t(envelope-from <kernel-team-bounces@lists.ubuntu.com>)\n\tid 1wLNMM-0001Ey-5u; Fri, 08 May 2026 15:43:26 +0000","from smtp-relay-internal-0.internal ([10.131.114.225]\n helo=smtp-relay-internal-0.canonical.com)\n by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)\n (Exim 4.86_2) (envelope-from <massimiliano.pellizzer@canonical.com>)\n id 1wLNMK-0001DU-H3\n for kernel-team@lists.ubuntu.com; Fri, 08 May 2026 15:43:24 +0000","from mail-wm1-f70.google.com (mail-wm1-f70.google.com\n [209.85.128.70])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 5449D3FEA3\n for <kernel-team@lists.ubuntu.com>; Fri,  8 May 2026 15:43:24 +0000 (UTC)","by mail-wm1-f70.google.com with SMTP id\n 5b1f17b1804b1-48d1b294dfeso18459275e9.0\n for <kernel-team@lists.ubuntu.com>; Fri, 08 May 2026 08:43:24 -0700 (PDT)","from tuxedo-infinitybook (net-93-66-99-204.cust.vodafonedsl.it.\n [93.66.99.204]) by smtp.gmail.com with ESMTPSA id\n 5b1f17b1804b1-48e6dd3b7casm3540985e9.12.2026.05.08.08.43.22\n for <kernel-team@lists.ubuntu.com>\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Fri, 08 May 2026 08:43:22 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com;\n s=20251003; t=1778255004;\n bh=4TQk9kBkKOgCLSg/thT1lAm2aeu5ULPd/ZqxuWxClFE=;\n h=From:To:Subject:Date:Message-ID:MIME-Version;\n b=krxzIyRFL6dJ9U2h0Rdtgn408MQsqbIpl+ighaBpbJHG2smzi0YPyqBPNO/5Gt4bY\n NZ2RqZxZhEYKJI3B/QEON8SHkoNUJV0XyX+0nzCtja5UA17Eusqz5fUPpKrT5elnIv\n /v58+xp8vNZSctma8geR4aRRXHQ/i6JjBhxDeUy5UE5GEYQ18csfD3YMnJWk43OmTm\n i/uqmtqaXiy2f94KG7qlQ7AtuObHNe5NyL1z9x9NQ1WrcC8Z539ZBpU09wHuGccLJ6\n zKXlycPI8HnK18C5feA7p0eHabI4FgPZb59CJnbDR9o7vAn7oRpdi2u9JaGJYwS7Fr\n TIfvT8yHhs5jFJ2G5unkEnzVqhqutk5IDIKsRzAFs4ee2r/0ZI3KxMpvsza9M6YUE1\n 22xVYxIh6O+WrstnBN37pTymnwVxfmh83ryMRDO2fAvVte1P/TXHXbk51QuVuP6O8d\n 3pW5hDnW6OnhXkk8oyP4p8eX5etDJfDh/s305yu7i+92AwXZOCMvsibY0oybtPEy4y\n uwWNqTU85jEgkx5LJGLax5vhAtbadUJU7xDiJhbsx5NuaWgPYiqecy23Iqx9iHMfrj\n 3b9M8rR84tcf4MyY7cH2+GmdPkODkFrgpb9Nq+ldMD9DVSGsnmA1c7ydBRBwCChI15\n INqGKpBvOtyymKNFnY+3xd9A=","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20251104; t=1778255003; x=1778859803;\n h=content-transfer-encoding:mime-version:message-id:date:subject:to\n :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id\n :reply-to;\n bh=4TQk9kBkKOgCLSg/thT1lAm2aeu5ULPd/ZqxuWxClFE=;\n b=f+65pc/ehcW33uDcJGcyclhz8z558BCTbTIg+svpXuuNvddBGZ02q88WDAp/fQr3w8\n 7SMAnY6lASVTKrM371Kco0zYEbeYY8ezA/c6glvy56nCfxTRXEMeTVrLRywbibuzzH6z\n sQNjJCRAYqk8ov1nFgPMFJjN1QfaTr33wk04TOdRpYoDhJSsMoemowc4E/Fk2AoC3ZDH\n GtsvNr3DmeXp7vaQUQEdexPgyS98rRYo7IFItnSOwKbhXc9S2vLX33eZdhZByoa1CDsl\n CrmQZjsIUltjb38pBziF6HhKEJW9ZMEt6s2PA1Ch4r/2zusZDKK1woGu+kCF3m6aPuyD\n oJEA==","X-Gm-Message-State":"AOJu0Yz7ugoN5HCCtSYmYkFy9O8jwVbp12mZr9WyJoFEygimVZ1zm9lr\n 8i/MpMJtis/e0yYnjPf8PNM/5ee5LDEyElzsMD/stjmGbrv5v5ypSK3kaRBRzOw/i4uZ8CcTxhL\n wSOYVc/033cSdDP8Yz2PrxMVnto6tVrYJle5v4z5GqCxW2wxHBL9EdkNlfvlE+hNaeraMrdc7SB\n Cr66ZQPLzT7XCHhg==","X-Gm-Gg":"AeBDiesGWI70Tn3E8VwzVTIEzZQoOZIUUfULP1pGnGsMmau13OfHCN/xuyXb///ABUj\n oAWsa4AYmV3O6/BNGZptzyHmdclwg1Q05jn2d7PfOUjJ77jPhmLO2mOtxL4gec6/WQAa0mXQU5b\n 8Y7J0M2Y8gXA3y2sw0AqDs4oKmThYarF4Tp6lRKn2Xxxg2AFCOgH8XVanUVG8OaVUN8iCT8Iiqn\n lxnOPk3mk6XSfSNcSGeZA13TozKKpS9TCMcftNe5PLUjP16gddNNbEN+2Rcrs0++sCIHG57/E7p\n KYLPGY2ogk+8bJJKHF8F2+dGGp5U4Sf38zKzlTXkJf1TgOPCY88wXARneaCv/U57URhaM5bsbt7\n rhv0li5E7cAdSSbC6RdHX15+sXvclsMxXXx/BiJgfRyEtaj6t+j23VP9ZAOyhsI2xWiEfLXqjuG\n mnwRgn6cG/NjcpPUtg6o7EXNg1K10T+HCTiQYNbAKQ+zieupqnbdnyeM5NcaxVgEEmhKJHT3Tu9\n 5vbZg==","X-Received":["by 2002:a05:600c:3548:b0:489:1c1f:35f1 with SMTP id\n 5b1f17b1804b1-48e51e09706mr201766085e9.4.1778255003585;\n Fri, 08 May 2026 08:43:23 -0700 (PDT)","by 2002:a05:600c:3548:b0:489:1c1f:35f1 with SMTP id\n 5b1f17b1804b1-48e51e09706mr201765625e9.4.1778255003120;\n Fri, 08 May 2026 08:43:23 -0700 (PDT)"],"From":"Massimiliano Pellizzer <massimiliano.pellizzer@canonical.com>","To":"kernel-team@lists.ubuntu.com","Subject":"[SRU][R/Q/N/J][PATCH 0/4] CVE-2026-43284","Date":"Fri,  8 May 2026 17:42:45 +0200","Message-ID":"\n <177825404593.556137.16021374556820212124@tuxedo-infinitybook.public>","X-Mailer":"git-send-email 2.53.0","MIME-Version":"1.0","X-BeenThere":"kernel-team@lists.ubuntu.com","X-Mailman-Version":"2.1.20","Precedence":"list","List-Id":"Kernel team discussions <kernel-team.lists.ubuntu.com>","List-Unsubscribe":"<https://lists.ubuntu.com/mailman/options/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>","List-Archive":"<https://lists.ubuntu.com/archives/kernel-team>","List-Post":"<mailto:kernel-team@lists.ubuntu.com>","List-Help":"<mailto:kernel-team-request@lists.ubuntu.com?subject=help>","List-Subscribe":"<https://lists.ubuntu.com/mailman/listinfo/kernel-team>,\n <mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>","Content-Type":"text/plain; charset=\"utf-8\"","Content-Transfer-Encoding":"base64","Errors-To":"kernel-team-bounces@lists.ubuntu.com","Sender":"\"kernel-team\" <kernel-team-bounces@lists.ubuntu.com>"},"content":"https://ubuntu.com/security/CVE-2026-43284\n\n[ Impact ]\n\nxfrm: esp: avoid in-place decrypt on shared skb frags\n\nMSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP\nmarks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),\nso later paths that may modify packet data can first make a private\ncopy. The IPv4/IPv6 datagram append paths did not set this flag when\nsplicing pages into UDP skbs.\n\nThat leaves an ESP-in-UDP packet made from shared pipe pages looking\nlike an ordinary uncloned nonlinear skb. ESP input then takes the no-COW\nfast path for uncloned skbs without a frag_list and decrypts in place\nover data that is not owned privately by the skb.\n\nMark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching\nTCP. Also make ESP input fall back to skb_cow_data() when the flag is\npresent, so ESP does not decrypt externally backed frags in place.\nPrivate nonlinear skb frags still use the existing fast path.\n\nThis intentionally does not change ESP output. In esp_output_head(),\nthe path that appends the ESP trailer to existing skb tailroom without\ncalling skb_cow_data() is not reachable for nonlinear skbs:\nskb_tailroom() returns zero when skb->data_len is nonzero, while ESP\ntailen is positive. Thus ESP output will either use the separate\ndestination-frag path or fall back to skb_cow_data().\n\n\n[ Fix ]\n\nFor N/Q/R cherry pick fix commit from upstream:\n- f4c50a4034e6 xfrm: esp: avoid in-place decrypt on shared skb frags\n\nFor J cherry pick fix commit and followup from linux-5.15.y:\n- ab8b995323e52 xfrm: esp: avoid in-place decrypt on shared skb frags\n- fe785bb3a8096 xfrm: esp: ipv4: fix up flags setting\n\n[ Test Plan ]\n\nCompiled and boot tested.\nTested using publicly available exploit.\nTested using LTP ad-hoc test.\n\n[ Regression Potential ]\n\nThe patch may cause unintended copy-on-write overhead,\npotentially degrading throughput for ESP-in-UDP workloads\nthat previously used the zero-copy fast path.\n\n[ Other Info ]\n\nhttps://github.com/0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo"}