[PATCH] net: esp4/esp6: missing skb_has_shared_frag() check in 6.1.y (CVE-2026-43284 backport)

[PATCH] net: esp4/esp6: missing skb_has_shared_frag() check in 6.1.y (CVE-2026-43284 backport)

[boz baba]

Hi stable team,

The fix for CVE-2026-43284 ("Dirty Frag", commit f4c50a4034e6) added a
skb_has_shared_frag() check to the skip_cow path in esp_input() in both
net/ipv4/esp4.c and net/ipv6/esp6.c. This fix was backported to 6.12.y
but appears to be missing from the 6.1.y stable branch.

Affected: linux-6.1.133 (latest 6.1.y as of 2026-05-31)
Fixed in: linux-6.12.91, mainline (f4c50a4034e6)

Vulnerable pattern in net/ipv4/esp4.c (line 912) and net/ipv6/esp6.c (line 960):

  if (!skb_cloned(skb)) {
      if (!skb_is_nonlinear(skb)) {
          nfrags = 1;
          goto skip_cow;
      } else if (!skb_has_frag_list(skb)) {   /* <-- missing &&
!skb_has_shared_frag(skb) */
          nfrags = skb_shinfo(skb)->nr_frags;
          nfrags++;
          goto skip_cow;
      }
  }

The missing check allows an skb with SKBFL_SHARED_FRAG set (e.g. from
vmsplice()/sendfile()) to bypass skb_cow_data() and proceed to in-place
aead decryption via:

  aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
  crypto_aead_decrypt(req);

This is the same page-cache corruption primitive as CVE-2026-43284.

Please backport commit f4c50a4034e6 to linux-6.1.y.

Affected versions: linux-6.1.x (all versions, fix not present)
Fixed versions: linux-6.12.91+, mainline

Verified by: source comparison of net/ipv4/esp4.c and net/ipv6/esp6.c
between linux-6.1.133 and linux-6.12.91.

References:
- CVE-2026-43284 (Dirty Frag)
- Fix commit: f4c50a4034e6

Thanks,
boz

Re: [PATCH] net: esp4/esp6: missing skb_has_shared_frag() check in 6.1.y (CVE-2026-43284 backport)

[Greg KH]

On Mon, Jun 01, 2026 at 02:31:48PM +0300, boz baba wrote:
> Hi stable team,
> 
> The fix for CVE-2026-43284 ("Dirty Frag", commit f4c50a4034e6) added a
> skb_has_shared_frag() check to the skip_cow path in esp_input() in both
> net/ipv4/esp4.c and net/ipv6/esp6.c. This fix was backported to 6.12.y
> but appears to be missing from the 6.1.y stable branch.
> 
> Affected: linux-6.1.133 (latest 6.1.y as of 2026-05-31)

No, 6.1.133 was released on Mon Apr 7 10:05:54 2025 +0200, there have
been many many releases since then.

> Fixed in: linux-6.12.91, mainline (f4c50a4034e6)
> 
> Vulnerable pattern in net/ipv4/esp4.c (line 912) and net/ipv6/esp6.c (line 960):
> 
>   if (!skb_cloned(skb)) {
>       if (!skb_is_nonlinear(skb)) {
>           nfrags = 1;
>           goto skip_cow;
>       } else if (!skb_has_frag_list(skb)) {   /* <-- missing &&
> !skb_has_shared_frag(skb) */
>           nfrags = skb_shinfo(skb)->nr_frags;
>           nfrags++;
>           goto skip_cow;
>       }
>   }
> 
> The missing check allows an skb with SKBFL_SHARED_FRAG set (e.g. from
> vmsplice()/sendfile()) to bypass skb_cow_data() and proceed to in-place
> aead decryption via:
> 
>   aead_request_set_crypt(req, sg, sg, elen + ivlen, iv);
>   crypto_aead_decrypt(req);
> 
> This is the same page-cache corruption primitive as CVE-2026-43284.
> 
> Please backport commit f4c50a4034e6 to linux-6.1.y.

It is already in the 6.1.171 release.

> Affected versions: linux-6.1.x (all versions, fix not present)
> Fixed versions: linux-6.12.91+, mainline
> 
> Verified by: source comparison of net/ipv4/esp4.c and net/ipv6/esp6.c
> between linux-6.1.133 and linux-6.12.91.

6.1.133 is very very old, please update your tree.

thanks,

greg k-h