From f67f546520b4514b3bd9485ae48a70f88cb413f1 Mon Sep 17 00:00:00 2001 From: "mergify[bot]" <37929162+mergify[bot]@users.noreply.github.com> Date: Wed, 13 May 2026 19:03:00 +0300 Subject: ci(mergify): upgrade configuration to current format (#1182) Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- .github/mergify.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/mergify.yml b/.github/mergify.yml index b2cf6ace..9f5e1fdd 100644 --- a/.github/mergify.yml +++ b/.github/mergify.yml @@ -13,8 +13,8 @@ commands_restrictions: backport: &allowed conditions: - or: - - sender=@vyos/maintainers - - sender=vyosbot + - sender=@vyos/maintainers + - sender=vyosbot copy: *allowed dequeue: *allowed queue: *allowed @@ -23,3 +23,5 @@ commands_restrictions: requeue: *allowed squash: *allowed update: *allowed +merge_protections_settings: + reporting_method: check-runs -- cgit v1.2.3 From d2d23bb8cafb209fc4459adaf43748e304b84392 Mon Sep 17 00:00:00 2001 From: Christian Breunig Date: Thu, 14 May 2026 13:34:49 +0200 Subject: Kernel: T8864: add patch for "fragnesia" local privilege escalation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fragnesia is a universal Linux local privilege escalation exploit, discovered with V12 by William Bowling with the V12 team. Fragnesia is a member of the Dirty Frag vulnerability class. This is a separate bug in the ESP/XFRM from dirtyfrag which has received its own patch. However, it is in the same surface and the mitigation is the same as for dirtyfrag. It abuses a logic bug in the Linux XFRM ESP-in-TCP subsystem to achieve arbitrary byte writes into the kernel page cache of read-only files, without requiring any race condition. The technique extends the page-cache write bug class that includes Dirty Pipe: when a TCP socket transitions to espintcp ULP mode after data has already been spliced from a file into the receive queue, the kernel processes the queued file pages as ESP ciphertext. The AES-GCM keystream byte at counter block position 2, byte 0 is XORed directly into the cached file page. By selecting the IV nonce to produce a desired keystream byte, any target byte in the file can be set to any value — one byte per trigger invocation. From: https://github.com/v12-security/pocs/blob/532994fc003a7/fragnesia/README.md --- ...preserve-shared-frag-marker-during-coales.patch | 53 ++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 scripts/package-build/linux-kernel/patches/kernel/0004-net-skbuff-preserve-shared-frag-marker-during-coales.patch diff --git a/scripts/package-build/linux-kernel/patches/kernel/0004-net-skbuff-preserve-shared-frag-marker-during-coales.patch b/scripts/package-build/linux-kernel/patches/kernel/0004-net-skbuff-preserve-shared-frag-marker-during-coales.patch new file mode 100644 index 00000000..b2a4f9be --- /dev/null +++ b/scripts/package-build/linux-kernel/patches/kernel/0004-net-skbuff-preserve-shared-frag-marker-during-coales.patch @@ -0,0 +1,53 @@ +Message-ID: <20260513041635.1289541-1-vakzz@zellic.io> +Date: Wed, 13 May 2026 04:16:35 +0000 +From: William Bowling +To: netdev@...r.kernel.org +Cc: "David S . Miller" , + Eric Dumazet , + Jakub Kicinski , + Paolo Abeni , + Steffen Klassert , + Herbert Xu , + David Ahern , + William Bowling +Subject: [PATCH] net: skbuff: preserve shared-frag marker during coalescing + +skb_try_coalesce() can attach paged frags from @from to @to. If @from +has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same +externally-owned or page-cache-backed frags, but the shared-frag marker +is currently lost. + +That breaks the invariant relied on by later in-place writers. In +particular, ESP input checks skb_has_shared_frag() before deciding +whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP +receive coalescing has moved shared frags into an unmarked skb, ESP can +see skb_has_shared_frag() as false and decrypt in place over page-cache +backed frags. + +Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged +frags. The tailroom copy path does not need the marker because it copies +bytes into @to's linear data rather than transferring frag descriptors. + +Fixes: cef401de7be8 ("net: fix possible wrong checksum generation") +Fixes: f4c50a4034e6 ("xfrm: esp: avoid in-place decrypt on shared skb frags") +Signed-off-by: William Bowling +--- + net/core/skbuff.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index a4695882d1c4..3e8f0b8226ca 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -6149,6 +6149,8 @@ bool skb_try_coalesce(struct sk_buff *to, struct sk_buff *from, + from_shinfo->frags, + from_shinfo->nr_frags * sizeof(skb_frag_t)); + to_shinfo->nr_frags += from_shinfo->nr_frags; ++ if (from_shinfo->nr_frags) ++ to_shinfo->flags |= from_shinfo->flags & SKBFL_SHARED_FRAG; + + if (!skb_cloned(from)) + from_shinfo->nr_frags = 0; +-- +2.39.5 + -- cgit v1.2.3