[PATCH net 0/3] rxrpc: Better fix for DATA/RESPONSE decrypt vs splice()
David Howells
dhowells at redhat.com
Mon May 11 09:07:46 PDT 2026
Here are two patches containing better fixes for the in-place decryption of
DATA and RESPONSE packets that can corrupt pagecache spliced into UDP
packets and sent to an AF_RXRPC server [CVE-2026-43500].
[!] Note that Hyunwoo Kim's fix is included as that is a prerequisite for
the main patches to build. This is in Linus's tree, but not yet net/main.
One patch fixes DATA decryption by having recvmsg unconditionally extract
the data into a flat bounce buffer and, if need be, decrypt it there. It
doesn't seem to cause a performance problem to do this even on unencrypted
packets; for encrypted packets it makes sure the content is correctly
aligned for crypto which seems to get a small performance gain.
Further, it means that DATA packets are no longer copied in the I/O thread,
avoiding a slowdown of the protocol engine that runs there.
The other patch fixes RESPONSE decryption by having the connection event
handler worker copy the data to a flat buffer and, again, decrypt it there.
This simplifies RESPONSE handling.
With these two fixes, the data content of the received sk_buff no longer
gets altered.
David
The patches can be found here also:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes
David Howells (2):
rxrpc: Fix DATA decrypt vs splice() by copying data to buffer in
recvmsg
rxrpc: Fix RESPONSE packet verification to extract skb to a linear
buffer
Hyunwoo Kim (1):
rxrpc: Also unshare DATA/RESPONSE packets when paged frags are present
net/rxrpc/ar-internal.h | 77 ++++++++++++++++--
net/rxrpc/call_event.c | 20 +----
net/rxrpc/call_object.c | 2 +
net/rxrpc/conn_event.c | 32 ++++----
net/rxrpc/insecure.c | 8 +-
net/rxrpc/protocol.h | 1 -
net/rxrpc/recvmsg.c | 72 +++++++++++++----
net/rxrpc/rxgk.c | 175 ++++++++++++++--------------------------
net/rxrpc/rxgk_app.c | 91 +++++++++------------
net/rxrpc/rxgk_common.h | 76 ++++++++---------
net/rxrpc/rxkad.c | 175 +++++++++++++++-------------------------
11 files changed, 349 insertions(+), 380 deletions(-)
More information about the linux-afs
mailing list