Skip to content

kernel: backport "net: gro: don't merge zcopy skbs" (CVE-pending)#17414

Open
omkhar wants to merge 1 commit into
microsoft:3.0-devfrom
omkhar:fix/gro-zcopy-uaf
Open

kernel: backport "net: gro: don't merge zcopy skbs" (CVE-pending)#17414
omkhar wants to merge 1 commit into
microsoft:3.0-devfrom
omkhar:fix/gro-zcopy-uaf

Conversation

@omkhar
Copy link
Copy Markdown

@omkhar omkhar commented May 23, 2026

Summary

Backports upstream commit 4db79a322db8 ("net: gro: don't merge zcopy skbs") into the Azure Linux 3.0 kernel-6.6.139.1 package. The fix prevents a UAF in skb_gro_receive() that allows unprivileged LPE via io_uring SEND_ZC + veth GRO.

Why this matters for Azure Linux 3

  • Pre-condition (SKBFL_MANAGED_FRAG_REFS, introduced upstream by 753f1ca4e1e5) is present in 6.6 LTS → 6.6.139.1
  • io_uring is enabled by default (kernel.io_uring_disabled=0)
  • A public PoC achieves root LPE in ~4/5 trials on stock 6.6.139.1-1.azl3 (Azure D2as_v5 VM, F32s_v2 build VM)

Change

  • Adds SPECS/kernel/0002-net-gro-don-t-merge-zcopy-skbs.patch — 3-line addition to net/core/gro.c's skb_gro_receive() returning -ETOOMANYREFS when either skb is zero-copy
  • Spec uses %autosetup -p1 so the patch auto-applies during %prep
  • Release bumped to 2%{?dist}; changelog entry added

Empirical verification (Azure)

Built and booted kernel-6.6.139.1-2.azl3.x86_64 (6.6.139.1-grofix) on an F32s_v2 VM:

unpatched 6.6.139.1-1.azl3 patched 6.6.139.1-grofix
Public PoC (lcfr-eth/2566a5cef312c94a5ff8d62fa417955f) over 5 trials 4/5 root achieved (hax::0:0::/root:/bin/sh injected into /etc/passwd) 0/5 (UAF prevented; PTE extraction lands on poisoned page each trial — page-poison sentinel 0xdeadbeefdeadbeef observed)
tools/testing/selftests/net/gro.sh n/a "All Tests Succeeded"
skb_gro_receive disasm — `skb_zcopy(p) skb_zcopy(skb)` guard

Test plan

  • Patch applies cleanly via %autosetup against kernel-6.6.139.1-1.azl3 SRPM
  • Kernel builds without error (make -j12 vmlinux bzImage modules)
  • Kernel boots; gro selftest passes
  • Public PoC blocked across 5 trials
  • CI / pipeline build (CLA-bot + build pipeline will run after PR open)

References

  • Upstream fix: 4db79a322db8c97f7b73b8a347395ef4d685eb40
  • Introduced by: 753f1ca4e1e5 ("net: introduce managed frags infrastructure")
  • Author: Sabrina Dubroca <sd@queasysnail.net>
  • Reported by: Huzaifa Sidhpurwala <huzaifas@redhat.com>

🤖 Generated with Claude Code

@omkhar omkhar requested a review from a team as a code owner May 23, 2026 11:17
@omkhar
Copy link
Copy Markdown
Author

omkhar commented May 23, 2026

@microsoft-github-policy-service agree

@christopherco
Copy link
Copy Markdown
Collaborator

christopherco commented May 24, 2026
edited
Loading

Thanks for the contribution, @omkhar . We're taking a closer look at the backport and will follow up shortly. In the meantime, please retarget the PR to our 3.0-dev branch, which is our primary branch for 3.0 changes. ref link on branch structure

cc: @allenpais

@omkhar omkhar changed the base branch from 3.0 to 3.0-dev May 24, 2026 12:38
@omkhar omkhar requested a review from a team as a code owner May 24, 2026 12:38
@microsoft-github-policy-service microsoft-github-policy-service Bot added specs-extended PR to fix SPECS-EXTENDED Tools 3.0-dev PRs Destined for AzureLinux 3.0 labels May 24, 2026
@omkhar
kernel: backport "net: gro: don't merge zcopy skbs"
d1e49cb 
Backport upstream commit 4db79a322db8 ("net: gro: don't merge zcopy
skbs") into the Azure Linux 3.0 kernel-6.6.139.1 package.

skb_gro_receive() can currently copy frags between the source and GRO
skb without checking the zerocopy status, in particular the
SKBFL_MANAGED_FRAG_REFS flag. When SKBFL_MANAGED_FRAG_REFS is set, the
skb doesn't hold a reference on the pages in shinfo->frags. Appending
those frags to another skb's frags without fixing up the page refcount
leads to a use-after-free.

The fix returns -ETOOMANYREFS from skb_gro_receive() when either skb is
zerocopy, preventing the merge. Equivalent to the upstream net.git
commit and the same one-line addition shipping in stable kernels.

Fixes: 753f1ca4e1e5 ("net: introduce managed frags infrastructure")
Upstream-Status: Backport [4db79a322db8c97f7b73b8a347395ef4d685eb40]
Upstream-Author: Sabrina Dubroca <sd@queasysnail.net>
Reported-by: Huzaifa Sidhpurwala <huzaifas@redhat.com>

Verified empirically on Azure F32s_v2 VM running 6.6.139.1-grofix:
public PoC (lcfr-eth/2566a5cef312c94a5ff8d62fa417955f) succeeded 4/5
trials on unpatched 6.6.139.1; succeeded 0/5 on patched kernel (page
poisoning sentinel observed in PTE[0] each trial - UAF prevented).
`gro.sh` selftest passes ("All Tests Succeeded").
@omkhar omkhar force-pushed the fix/gro-zcopy-uaf branch from 8ddeef4 to d1e49cb Compare May 24, 2026 12:41
@omkhar
Copy link
Copy Markdown
Author

omkhar commented May 24, 2026

Retargeted to 3.0-dev — thanks for the pointer to the branch-structure table. Rebased the single backport commit onto current 3.0-dev (clean apply, no spec conflicts). Standing by for the backport review whenever you and @allenpais have cycles.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

3.0-dev PRs Destined for AzureLinux 3.0 3.0 PRs Destined for 3.0 Packaging specs-extended PR to fix SPECS-EXTENDED Tools

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@omkhar @christopherco