Re: Linux 5.15.205
From: gregkh@xxxxxxxxxxxxxxxxxxx
Date: Fri May 08 2026 - 09:51:22 EST
On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> On Fri, May 8, 2026 at 2:44 PM gregkh@xxxxxxxxxxxxxxxxxxx
> <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> >
> > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > Hi,
> > >
> > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > >
> > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > >
> > > Would this need to be:
> > >
> > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > >
> > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> >
> > Adding Ben who did the 5.10 backport so he can comment on this.
> >
> > thanks,
> >
> > greg k-h
> >
>
> Hi,
>
> The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
>
> ```
> $ ./run.sh
> === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> 'sick::0:0:<pad>:/:/bin/bash'
> === Stage 2 — verify
> sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> === Stage 3 — su - sick (empty password via PAM nullok)
> [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> # uname -r
> 5.15.205
> ```
>
Does the patch below fix this up?
thanks,
greg k-h
------------------
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 68509e1f89b5..5d8f8a5901bc 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1443,7 +1443,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
goto error;
}
- skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
+ skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
if (skb->ip_summed == CHECKSUM_NONE) {
__wsum csum;