** Description changed:
- == Summary ==
- During source code analysis of Ubuntu 6.8.0-124-generic,
- 3 upstream security fixes in net/tls/tls_sw.c were found
- missing. None of these fixes have been assigned a CVE.
+ [ Impact ]
- == Environment ==
- Kernel: 6.8.0-124-generic
- Package: linux-source-6.8.0 (apt)
- Verification method: Source diff vs upstream commits
+ Three upstream net/tls bug fixes are missing from Noble (6.8.0, present
+ through 6.8.0-132.133). All three touch net/tls/tls_sw.c, affect only
+ kTLS sockets, and were not assigned a CVE upstream. They address data
+ integrity and memory safety issues in the TLS software path:
- == Issue 1: Silent data drop under pipe back-pressure ==
- Upstream fix: 7e7be31bfdb0 (2026-05-02)
- Author: Jakub Kicinski
- CVE: NOT ASSIGNED
+ 1) Silent data drop under pipe back-pressure.
+ tls_sw_splice_read() advances rxm->offset / rxm->full_len by the
+ requested length instead of the number of bytes actually spliced
+ into the pipe. When the destination pipe cannot accept everything,
+ splice_to_pipe() returns fewer bytes than requested and the
+ difference is silently skipped, corrupting the TLS RX stream.
- Vulnerable code (tls_sw.c line 2288-2290):
- if (chunk < rxm->full_len) {
- rxm->offset += len;
- rxm->full_len -= len;
+ 2) Off-by-one in the sg_chain() entry count for a wrapped sk_msg ring.
+ When the sk_msg scatterlist ring wraps (sg.end < sg.start), the
+ chain pointer is placed one entry short of the true last entry, so
+ the crypto engine is handed a malformed scatterlist.
- Required fix:
- if (copied < rxm->full_len) {
- rxm->offset += copied;
- rxm->full_len -= copied;
+ 3) chain-after-chain in the plaintext SG path.
+ When the ring is empty (end == 0) the existing code emits a chain
+ link that points directly at another chain link. The scatterlist
+ API (sg_next) does not resolve consecutive chain links, so this is
+ illegal input to crypto.
- Impact: When pipe is full during tls_sw_splice_read(),
- skb_splice_bits() returns copied < chunk.
- Ubuntu code advances rxm->offset by len instead
- of copied, silently skipping unread bytes.
- Causes data integrity violation in TLS RX splice path.
+ [ Fix ]
- == Issue 2: Off-by-one in sg_chain entry count ==
- Upstream fix: 285943c6e7ca (2026-05-14)
- Author: Jakub Kicinski
- CVE: NOT ASSIGNED
- Reported by: 钱一铭 ([email protected])
+ Clean cherry-picks of the following upstream commits, in order:
- Vulnerable code (tls_sw.c line 803-804):
- sg_chain(&msg_pl->sg.data[msg_pl->sg.start],
- MAX_SKB_FRAGS - msg_pl->sg.start + 1,
- msg_pl->sg.data);
+ 7e7be31bfdb0 ("net: tls: fix silent data drop under pipe back-pressure")
+ 285943c6e7ca ("net: tls: fix off-by-one in sg_chain entry count for
+ wrapped sk_msg ring")
+ ff26a0e8377d ("net: tls: prevent chain-after-chain in plain text SG")
- Required fix:
- sg_chain(msg_pl->sg.data,
- ARRAY_SIZE(msg_pl->sg.data),
- msg_pl->sg.data);
+ (1) fixes commit e062fe99cccd; (2) and (3) fix commit 9aaaa56845a0.
+ Both Fixes: targets are present in Noble.
- Impact: When sk_msg scatterlist ring wraps
- (sg.end < sg.start), wrong sg_chain index
- places chain pointer at data[MAX_SKB_FRAGS]
- instead of true last entry.
- Crypto engine receives invalid scatterlist,
- potential slab-out-of-bounds read/write.
+ [ Test Plan ]
- == Issue 3: chain-after-chain prevention in TLS 1.3 ==
- Upstream fix: ff26a0e8377d (2026-05-14)
- Author: Jakub Kicinski
- CVE: NOT ASSIGNED
+ Build: CBD build cengiz-noble-a55bcaa0d741-8479
+ amd64: BUILD-OK
+ arm64: BUILD-OK
+ armhf: BUILD-OK
+ ppc64el: BUILD-OK
+ s390x: BUILD-OK
- Vulnerable code (tls_sw.c line 796):
- sg_chain(msg_pl->sg.data, msg_pl->sg.end + 1,
- &rec->sg_content_type);
+ Boot: PASS (Kybele uvt-kvm boot test using the amd64 CBD artifacts)
+ Kernel: 6.8.0-132-generic
+ uname -v: #133 SMP PREEMPT_DYNAMIC Wed Jun 24 11:46:08 UTC 2026
- Required fix:
- sg_chain(msg_pl->sg.data, i + 2,
- &rec->sg_content_type);
+ [ Where Problems Could Occur ]
- Impact: SGL does not allow chain-after-chain.
- For TLS 1.3, wrong chain size when wrap entry
- exists causes invalid scatterlist for
- content_type byte, potential memory corruption
- in crypto path.
+ The changes are confined to net/tls/tls_sw.c and only affect TLS
+ sockets that use the kernel TLS software path. A regression would
+ manifest as TLS send/receive failures or data corruption on kTLS
+ sockets; traffic that does not use kTLS is unaffected.
- == Verification ==
- Commands to reproduce:
+ [ Other Info ]
- sudo apt install linux-source-6.8.0
- sudo tar xf /usr/src/linux-source-6.8.0/\
- linux-source-6.8.0.tar.bz2 -C /tmp/
-
- # Issue 1:
- grep -n "rxm->offset += len" \
- /tmp/linux-source-6.8.0/net/tls/tls_sw.c
- # Expected: line 2289 (vulnerable)
-
- # Issue 2:
- grep -n "MAX_SKB_FRAGS - msg_pl->sg.start" \
- /tmp/linux-source-6.8.0/net/tls/tls_sw.c
- # Expected: line 804 (vulnerable)
-
- # Issue 3:
- grep -n "sg.end + 1" \
- /tmp/linux-source-6.8.0/net/tls/tls_sw.c
- # Expected: line 796 (vulnerable)
-
- == References ==
- 7e7be31bfdb0: https://git.kernel.org/torvalds/c/7e7be31bfdb0
- 285943c6e7ca: https://git.kernel.org/torvalds/c/285943c6e7ca
- ff26a0e8377d: https://git.kernel.org/torvalds/c/ff26a0e8377d
+ None of these commits carry a CVE upstream. They are pure upstream
+ cherry-picks with no Ubuntu-specific adaptations.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2155609
Title:
net/tls: Three upstream fixes without CVE missing from Ubuntu
6.8.0-124-generic
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2155609/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
