* [PATCH v5.10 0/2] Fix CVE-2026-23204
@ 2026-06-18 8:08 Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Shivani Agarwal @ 2026-06-18 8:08 UTC (permalink / raw)
To: stable, gregkh
Cc: davem, edumazet, kuba, pabeni, horms, netdev, linux-kernel,
xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu,
Shivani Agarwal
To fix CVE-2026-23204, commit cabd1a976375 is required; however,
it depends on commit 13e00fdc9236. Therefore, both patches
have been backported to v5.10.
Eric Dumazet (2):
net: add skb_header_pointer_careful() helper
net/sched: cls_u32: use skb_header_pointer_careful()
include/linux/skbuff.h | 12 ++++++++++++
net/sched/cls_u32.c | 13 ++++++-------
2 files changed, 18 insertions(+), 7 deletions(-)
--
2.53.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper
2026-06-18 8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
@ 2026-06-18 8:08 ` Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Shivani Agarwal
2026-06-20 11:54 ` [PATCH v5.10 0/2] Fix CVE-2026-23204 Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Shivani Agarwal @ 2026-06-18 8:08 UTC (permalink / raw)
To: stable, gregkh
Cc: davem, edumazet, kuba, pabeni, horms, netdev, linux-kernel,
xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu, Bin Lan,
Shivani Agarwal
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 13e00fdc9236bd4d0bff4109d2983171fbcb74c4 ]
This variant of skb_header_pointer() should be used in contexts
where @offset argument is user-controlled and could be negative.
Negative offsets are supported, as long as the zone starts
between skb->head and skb->data.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-2-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Adjust context ]
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Shivani: Modified to apply on 5.10.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
include/linux/skbuff.h | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index 8abbb64bd..a2daeba8b 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -3686,6 +3686,18 @@ skb_header_pointer(const struct sk_buff *skb, int offset, int len, void *buffer)
skb_headlen(skb), buffer);
}
+/* Variant of skb_header_pointer() where @offset is user-controlled
+ * and potentially negative.
+ */
+static inline void * __must_check
+skb_header_pointer_careful(const struct sk_buff *skb, int offset,
+ int len, void *buffer)
+{
+ if (unlikely(offset < 0 && -offset > skb_headroom(skb)))
+ return NULL;
+ return skb_header_pointer(skb, offset, len, buffer);
+}
+
/**
* skb_needs_linearize - check if we need to linearize a given skb
* depending on the given device features.
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful()
2026-06-18 8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
@ 2026-06-18 8:08 ` Shivani Agarwal
2026-06-20 11:54 ` [PATCH v5.10 0/2] Fix CVE-2026-23204 Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Shivani Agarwal @ 2026-06-18 8:08 UTC (permalink / raw)
To: stable, gregkh
Cc: davem, edumazet, kuba, pabeni, horms, netdev, linux-kernel,
xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu, GangMin Kim,
Bin Lan, Shivani Agarwal
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit cabd1a976375780dabab888784e356f574bbaed8 ]
skb_header_pointer() does not fully validate negative @offset values.
Use skb_header_pointer_careful() instead.
GangMin Kim provided a report and a repro fooling u32_classify():
BUG: KASAN: slab-out-of-bounds in u32_classify+0x1180/0x11b0
net/sched/cls_u32.c:221
Fixes: fbc2e7d9cf49 ("cls_u32: use skb_header_pointer() to dereference data safely")
Reported-by: GangMin Kim <km.kim1503@gmail.com>
Closes: https://lore.kernel.org/netdev/CANn89iJkyUZ=mAzLzC4GdcAgLuPnUoivdLaOs6B9rq5_erj76w@mail.gmail.com/T/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260128141539.3404400-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Bin Lan <lanbincn@139.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Shivani: Modified to apply on 5.10.y ]
Signed-off-by: Shivani Agarwal <shivani.agarwal@broadcom.com>
---
net/sched/cls_u32.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c
index f2a0c1068..e501390cc 100644
--- a/net/sched/cls_u32.c
+++ b/net/sched/cls_u32.c
@@ -149,10 +149,8 @@ static int u32_classify(struct sk_buff *skb, const struct tcf_proto *tp,
int toff = off + key->off + (off2 & key->offmask);
__be32 *data, hdata;
- if (skb_headroom(skb) + toff > INT_MAX)
- goto out;
-
- data = skb_header_pointer(skb, toff, 4, &hdata);
+ data = skb_header_pointer_careful(skb, toff, 4,
+ &hdata);
if (!data)
goto out;
if ((*data ^ key->val) & key->mask) {
@@ -202,8 +200,9 @@ static int u32_classify(struct sk_buff *skb, const struct tcf_proto *tp,
if (ht->divisor) {
__be32 *data, hdata;
- data = skb_header_pointer(skb, off + n->sel.hoff, 4,
- &hdata);
+ data = skb_header_pointer_careful(skb,
+ off + n->sel.hoff,
+ 4, &hdata);
if (!data)
goto out;
sel = ht->divisor & u32_hash_fold(*data, &n->sel,
@@ -217,7 +216,7 @@ static int u32_classify(struct sk_buff *skb, const struct tcf_proto *tp,
if (n->sel.flags & TC_U32_VAROFFSET) {
__be16 *data, hdata;
- data = skb_header_pointer(skb,
+ data = skb_header_pointer_careful(skb,
off + n->sel.offoff,
2, &hdata);
if (!data)
--
2.53.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v5.10 0/2] Fix CVE-2026-23204
2026-06-18 8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Shivani Agarwal
@ 2026-06-20 11:54 ` Sasha Levin
2 siblings, 0 replies; 4+ messages in thread
From: Sasha Levin @ 2026-06-20 11:54 UTC (permalink / raw)
To: stable, gregkh
Cc: Sasha Levin, davem, edumazet, kuba, pabeni, horms, netdev,
linux-kernel, xiaosuo, iri, jhs, ajay.kaher, alexey.makhalov,
vamsi-krishna.brahmajosyula, yin.ding, tapas.kundu,
Shivani Agarwal
> [PATCH v5.10 0/2] Fix CVE-2026-23204
Queued the series for 5.10, thanks.
--
Thanks,
Sasha
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-20 11:55 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-18 8:08 [PATCH v5.10 0/2] Fix CVE-2026-23204 Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 1/2] net: add skb_header_pointer_careful() helper Shivani Agarwal
2026-06-18 8:08 ` [PATCH v5.10 2/2] net/sched: cls_u32: use skb_header_pointer_careful() Shivani Agarwal
2026-06-20 11:54 ` [PATCH v5.10 0/2] Fix CVE-2026-23204 Sasha Levin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox