Patch kernel to fix CVE-2026-43456#17909
Conversation
|
Flagging severity + a handling question for maintainers: Severity / exigency: CVE-2026-43456 has a public, reliable local-privilege-escalation exploit (Google kernelCTF). The trigger only needs Question: I know the kernel is normally serviced by auto-upgrade rather than hand-added CVE patches. How would you prefer to handle this one?
Happy to follow your call and to adjust the patch/spec as needed. Full validation (kprobe |
Backport upstream fix for CVE-2026-43456, a type confusion in the bonding driver's bond_setup_by_slave(). When a non-Ethernet slave (e.g. a GRE tunnel) is enslaved to a bond, the bond blindly copied the slave's header_ops onto itself; a later dev_hard_header() on the bond then called e.g. ipgre_header() with the bond device, so netdev_priv() returned the bond's struct bonding reinterpreted as struct ip_tunnel -> type confusion -> local privilege escalation (public kernelCTF PoC). Upstream commit: torvalds/linux 950803f7254721c1c15858fbbfae3deaaeeecb11 Author: Jiayuan Chen <jiayuan.chen@shopee.com> Fixes: 1284cd3a2b74 ("bonding: two small fixes for IPoIB support") Reviewed-by: Eric Dumazet <edumazet@google.com> The fix is single-file (drivers/net/bonding/bond_main.c) and applies cleanly to the 6.6.143.1 (rolling-lts/mariner-3) source via %autosetup -p1. Applied to both from-source kernels (kernel, kernel-64k); release bumped across the entangled kernel spec set (kernel-headers, kernel-signed, kernel-64k-signed, kernel-uki-signed) and the kernel-headers manifest. Signed-off-by: Omkhar Arasaratnam <omkhar@linkedin.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
b2f5a24 to
ee7167f
Compare
|
One routing question for maintainers: is this eligible for Given the public kernelCTF LPE exploit and that the fix isn't yet in If you'd like it fast-tracked, I'm happy to retarget the PR to |
Merge Checklist
*-staticsubpackages, etc.) have had theirReleasetag incremented.*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
Backport the upstream fix for CVE-2026-43456, a type confusion in the bonding driver's
bond_setup_by_slave().When a non-Ethernet slave (e.g. a GRE tunnel) is enslaved to a bond, the bond blindly copied the slave's
header_opsonto itself:A later
dev_hard_header()on the bond then invokes e.g.ipgre_header()with the bond device, sonetdev_priv()returns the bond'sstruct bondingreinterpreted as the slave protocol's private type (e.g.struct ip_tunnel) — a type confusion that leads to garbage reads / controlled corruption and local privilege escalation. A public exploit exists (Google kernelCTF, reliable LPE; trigger only needsCAP_NET_ADMIN, obtainable via unprivileged user namespaces).The upstream fix introduces
bond_header_opswrapper functions that delegate to the active slave'sheader_opsusing the slave's own device, sonetdev_priv()always sees the correct type.Upstream commit: torvalds/linux
950803f7254721c1c15858fbbfae3deaaeeecb111284cd3a2b74("bonding: two small fixes for IPoIB support") (2007)The fix is a single file (
drivers/net/bonding/bond_main.c) and applies cleanly to the6.6.143.1(rolling-lts/mariner-3) source via%autosetup -p1.Change Log
CVE-2026-43456.patch(upstream950803f7, attribution preserved) to the two from-source kernels:SPECS/kernel(Patch1) andSPECS/kernel-64k(Patch2).Release6.6.143.1-1->-2across the entangled kernel spec set:kernel,kernel-64k,kernel-headers,kernel-signed,kernel-64k-signed,kernel-uki-signed.kernel-headersNVR (-1->-2) intoolchain_{x86_64,aarch64}.txtandpkggen_core_{x86_64,aarch64}.txt.Does this affect the toolchain?
YES —
kernel-headersis a core/toolchain package, so itsReleasebump requires thetoolchain_*.txt/pkggen_core_*.txtmanifest update (included). No toolchain source changes.Links to CVEs
Test Methodology
Validated against the exact
6.6.143.1(rolling-lts/mariner-3) kernel source this spec consumes:patch -p1 --dry-runofCVE-2026-43456.patchagainst the consumedbond_main.creturns RC=0; post-apply the rawheader_opscopy is gone and thebond_header_ops/bond_header_create/bond_header_parseguard is present.ipgre_headerkprobe capturing thedevargument shows the bond device (bond1) being passed on 7/7 trigger sends — i.e. the type confusion path is reached (netdev_priv(bond1)=struct bondinghanded to GRE code expectingstruct ip_tunnel).bond_header_create(bond1) -> ipgre_header(gre1)on 12/12 sends, 0bond1— the wrapper routes to the slave's own device, eliminating the confusion.net.ipv6_lib+net.multicast(the single-VM-tolerantdrivers/netsubsystem suites) — 0 new failures patched vs baseline (the 3net.multicastfails are Azure-VNet-blocks-L2-multicast environmental, identical on both sides).(The type confusion is an in-bounds wrong-type read, so it does not crash a naive PoC / KASAN — the kprobe
dev-argument differential is the deterministic signal; a crash requires exploit-grade heap shaping, per the public kernelCTF exploit.)Note to maintainers
This is intentionally an out-of-tree carry:
950803f7is not yet inlinux-6.6.ystable (it is already in6.12.yand6.18.y), so[AUTOPATCHER-kernel]cannot pull it yet. I recognise the kernel is normally serviced by auto-upgrade rather than hand-added CVE patches — I'm raising this manually only because there is a public, reliable LPE exploit against the currently-shipping6.6.143.1, and I'd rather not leave that window open until 6.6.y catches up.Happy to defer to your preference: keep this as a carry until AUTOPATCHER pulls the stable backport (and I'll close it then), or drop it if you'd rather wait. Also glad to route it through
fasttrack/3.0if that's the appropriate channel for an exigent kernel CVE — please advise.There is a follow-up upstream commit
b7405dcf7385("bonding: prevent potential infinite loop in bond_header_parse()",Fixes: 950803f7) that hardens the code this patch adds; it is a broaderheader_ops->parseABI change (9 files) and addresses a separate, lower-severityCAP_NET_ADMIN-gated DoS, so I've kept it out of this PR and can raise it separately if you'd like.