[PATCH v5.10 0/2] Fix CVE-2026-23204

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH v5.10 0/2] Fix CVE-2026-23204
@ 2026-06-18  8:08 Shivani Agarwal
  2026-06-18  8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Shivani Agarwal @ 2026-06-18  8:08 UTC (permalink / raw)
  To: stable, gregkh
  Cc: davem, edumazet, kuba, pabeni, horms, netdev, linux-kernel,
	xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
	vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu,
	Shivani Agarwal

To fix CVE-2026-23204, commit cabd1a976375 is required; however,
it depends on commit 13e00fdc9236. Therefore, both patches
have been backported to v5.10.

Eric Dumazet (2):
  net: add skb_header_pointer_careful() helper
  net/sched: cls_u32: use skb_header_pointer_careful()

 include/linux/skbuff.h | 12 ++++++++++++
 net/sched/cls_u32.c    | 13 ++++++-------
 2 files changed, 18 insertions(+), 7 deletions(-)

-- 
2.53.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper
  2026-06-18  8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
@ 2026-06-18  8:08 ` Shivani Agarwal
  2026-06-18  8:08 ` [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Shivani Agarwal
  2026-06-20 11:54 ` [PATCH v5.10 0/2] Fix CVE-2026-23204 Sasha Levin
  2 siblings, 0 replies; 4+ messages in thread
From: Shivani Agarwal @ 2026-06-18  8:08 UTC (permalink / raw)
  To: stable, gregkh
  Cc: davem, edumazet, kuba, pabeni, horms, netdev, linux-kernel,
	xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
	vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu, Bin Lan,
	Shivani Agarwal

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ]

This variant of skb_header_pointer() should be used in contexts
where @offset argument is user-controlled and could be negative.

Negative offsets are supported, as long as the zone starts
between skb->head and skb->data.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Adjust context ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Shivani: Modified to apply on 5.10.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
 include/linux/skbuff.h | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 8abbb64bd..a2daeba8b 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3686,6 +3686,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer)
 				    skb_headlen(skb), buffer);
 }
 
+/* Variant of skb_header_pointer() where @offset is user-controlled
+ * and potentially negative.
+ */
+static inline void * __must_check
+skb_header_pointer_careful(const struct sk_buff *skb, int offset,
+			   int len, void *buffer)
+{
+	if (unlikely(offset < 0 && -offset > skb_headroom(skb)))
+		return NULL;
+	return skb_header_pointer(skb, offset, len, buffer);
+}
+
 /**
  *	skb_needs_linearize - check if we need to linearize a given skb
  *			      depending on the given device features.
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful()
  2026-06-18  8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
  2026-06-18  8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
@ 2026-06-18  8:08 ` Shivani Agarwal
  2026-06-20 11:54 ` [PATCH v5.10 0/2] Fix CVE-2026-23204 Sasha Levin
  2 siblings, 0 replies; 4+ messages in thread
From: Shivani Agarwal @ 2026-06-18  8:08 UTC (permalink / raw)
  To: stable, gregkh
  Cc: davem, edumazet, kuba, pabeni, horms, netdev, linux-kernel,
	xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
	vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu, GangMin Kim,
	Bin Lan, Shivani Agarwal

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ]

skb_header_pointer() does not fully validate negative @offset values.

Use skb_header_pointer_careful() instead.

GangMin Kim provided a report and a repro fooling u32_classify():

BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221

Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely")
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Shivani: Modified to apply on 5.10.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
 net/sched/cls_u32.c | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index f2a0c1068..e501390cc 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -149,10 +149,8 @@ static int u32_classify(struct sk_buff *skb, const struct tcf_proto *tp,
 			int toff = off + key->off + (off2 & key->offmask);
 			__be32 *data, hdata;
 
-			if (skb_headroom(skb) + toff > INT_MAX)
-				goto out;
-
-			data = skb_header_pointer(skb, toff, 4, &hdata);
+			data = skb_header_pointer_careful(skb, toff, 4,
+							  &hdata);
 			if (!data)
 				goto out;
 			if ((*data ^ key->val) & key->mask) {
@@ -202,8 +200,9 @@ static int u32_classify(struct sk_buff *skb, const struct tcf_proto *tp,
 		if (ht->divisor) {
 			__be32 *data, hdata;
 
-			data = skb_header_pointer(skb, off + n->sel.hoff, 4,
-						  &hdata);
+			data = skb_header_pointer_careful(skb,
+							  off + n->sel.hoff,
+							  4, &hdata);
 			if (!data)
 				goto out;
 			sel = ht->divisor & u32_hash_fold(*data, &n->sel,
@@ -217,7 +216,7 @@ static int u32_classify(struct sk_buff *skb, const struct tcf_proto *tp,
 			if (n->sel.flags & TC_U32_VAROFFSET) {
 				__be16 *data, hdata;
 
-				data = skb_header_pointer(skb,
+				data = skb_header_pointer_careful(skb,
 							  off + n->sel.offoff,
 							  2, &hdata);
 				if (!data)
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v5.10 0/2] Fix CVE-2026-23204
  2026-06-18  8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
  2026-06-18  8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
  2026-06-18  8:08 ` [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Shivani Agarwal
@ 2026-06-20 11:54 ` Sasha Levin
  2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2026-06-20 11:54 UTC (permalink / raw)
  To: stable, gregkh
  Cc: Sasha Levin, davem, edumazet, kuba, pabeni, horms, netdev,
	linux-kernel, xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
	vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu,
	Shivani Agarwal

> [PATCH v5.10 0/2] Fix CVE-2026-23204

Queued the series for 5.10, thanks.

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-06-20 11:55 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-18  8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
2026-06-18  8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
2026-06-18  8:08 ` [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Shivani Agarwal
2026-06-20 11:54 ` [PATCH v5.10 0/2] Fix CVE-2026-23204 Sasha Levin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.