From e6ee319649b21ab3dcde9979d827c03bde833a73 Mon Sep 17 00:00:00 2001 From: omkhar Date: Sun, 24 May 2026 23:08:23 -0400 Subject: [PATCH] Patch kernel: backport ixgbevf UAF fix in VEPA multicast source pruning (torvalds/linux@5d49b568) Backport upstream fix. Upstream commit: torvalds/linux@5d49b568c188dc77199d8d2b959c91da8cc27cf1 Signed-off-by: omkhar --- ...8c188-ixgbevf-fix-uaf-vepa-multicast.patch | 63 +++++++++++++++++++ SPECS/kernel/kernel.signatures.json | 7 ++- SPECS/kernel/kernel.spec | 6 +- 3 files changed, 72 insertions(+), 4 deletions(-) create mode 100644 SPECS/kernel/5d49b568c188-ixgbevf-fix-uaf-vepa-multicast.patch diff --git a/SPECS/kernel/5d49b568c188-ixgbevf-fix-uaf-vepa-multicast.patch b/SPECS/kernel/5d49b568c188-ixgbevf-fix-uaf-vepa-multicast.patch new file mode 100644 index 00000000000..e1ef5296ce7 --- /dev/null +++ b/SPECS/kernel/5d49b568c188-ixgbevf-fix-uaf-vepa-multicast.patch @@ -0,0 +1,63 @@ +From 5d49b568c188dc77199d8d2b959c91da8cc27cf1 Mon Sep 17 00:00:00 2001 +From: Michael Bommarito +Date: Fri, 15 May 2026 11:24:14 -0700 +Subject: ixgbevf: fix use-after-free in VEPA multicast source pruning + +ixgbevf_clean_rx_irq() prunes frames whose source MAC matches the VF's +own address (VEPA multicast workaround) by freeing the skb and +continuing to the next descriptor: + + dev_kfree_skb_irq(skb); + continue; + +The skb pointer is declared outside the while loop and persists across +iterations. Because the continue skips the "skb = NULL" reset at the +bottom of the loop, the next iteration enters the "else if (skb)" path +and calls ixgbevf_add_rx_frag() on the freed skb, dereferencing +skb_shinfo(skb)->nr_frags - a use-after-free in NAPI softirq context. + +The sibling driver iavf already handles this correctly by nulling the +pointer before continuing. Apply the same pattern here. + +I do not have ixgbevf hardware; the bug was found by static analysis +(scan_drop_continue_loops.py + semgrep drop_continue_in_loop, multi-tool +corroboration with the highest score in the scan). The UAF was confirmed +under KASAN by loading a test module that reproduces the exact code +pattern (alloc skb, kfree_skb, then read skb_shinfo(skb)->nr_frags): + + BUG: KASAN: slab-use-after-free in ixgbevf_uaf_test_init+0x100/0x1000 + Read of size 8 at addr 000000006163ae78 by task insmod/30 + freed 208-byte region [000000006163adc0, 000000006163ae90) + +QEMU emulates igb (82576) but not ixgbe (82599), and the igbvf VF +driver does not include the VEPA source pruning path, so a full +end-to-end reproduction with emulated hardware was not possible. + +Fixes: bad17234ba70 ("ixgbevf: Change receive model to use double buffered page based receives") +Cc: stable@vger.kernel.org +Signed-off-by: Michael Bommarito +Reviewed-by: Simon Horman +Tested-by: Rafal Romanowski +Signed-off-by: Tony Nguyen +Link: https://patch.msgid.link/20260515182419.1597859-8-anthony.l.nguyen@intel.com +Signed-off-by: Jakub Kicinski +--- + drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +index 42f89a179a3fa..4ba3be961ab66 100644 +--- a/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c ++++ b/drivers/net/ethernet/intel/ixgbevf/ixgbevf_main.c +@@ -1221,6 +1221,7 @@ static int ixgbevf_clean_rx_irq(struct ixgbevf_q_vector *q_vector, + ether_addr_equal(rx_ring->netdev->dev_addr, + eth_hdr(skb)->h_source)) { + dev_kfree_skb_irq(skb); ++ skb = NULL; + continue; + } + +-- +cgit 1.3-korg + + diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json index 8beb1041c9b..1b263891a7f 100644 --- a/SPECS/kernel/kernel.signatures.json +++ b/SPECS/kernel/kernel.signatures.json @@ -1,11 +1,12 @@ { "Signatures": { + "5d49b568c188-ixgbevf-fix-uaf-vepa-multicast.patch": "45ed459d49afc13c0a51064ca5efc7910d65e4fce45f15850307a0e43b4ab635", "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b", "config": "09474b8388008baf182997b999d691f71331ac2d266a9c0a5414c58923135070", "config_aarch64": "242765f15998ffcbce7a3f577e69a1657de836b8906afe510cd9490920fd2619", "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985", "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98", - "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f", - "kernel-6.6.139.1.tar.gz": "38cdd56ae6c662c314e31226c34587d6ceba393495e64e43fd38898a50fdb617" + "kernel-6.6.139.1.tar.gz": "38cdd56ae6c662c314e31226c34587d6ceba393495e64e43fd38898a50fdb617", + "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f" } -} +} \ No newline at end of file diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec index b972257310c..6359c1bd0df 100644 --- a/SPECS/kernel/kernel.spec +++ b/SPECS/kernel/kernel.spec @@ -32,7 +32,7 @@ Summary: Linux Kernel Name: kernel Version: 6.6.139.1 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 Vendor: Microsoft Corporation Distribution: Azure Linux @@ -46,6 +46,7 @@ Source4: azurelinux-ca-20230216.pem Source5: cpupower Source6: cpupower.service Patch0: 0001-add-mstflint-kernel-%{mstflintver}.patch +Patch1: 5d49b568c188-ixgbevf-fix-uaf-vepa-multicast.patch BuildRequires: audit-devel BuildRequires: bash BuildRequires: bc @@ -440,6 +441,9 @@ echo "initrd of kernel %{uname_r} removed" >&2 %{_sysconfdir}/bash_completion.d/bpftool %changelog +* Mon May 25 2026 omkhar - 6.6.139.1-2 +- Backport upstream UAF fix for ixgbevf (torvalds/linux@5d49b568). Author: Michael Bommarito. + * Fri May 15 2026 CBL-Mariner Servicing Account - 6.6.139.1-1 - Auto-upgrade to 6.6.139.1