A flaw in the Linux Kernel found. When splice() is called with a ktls socket as destination, the ktls code fails to update the internal "curr"/"copybreak" accounting that tracks which parts of the plaintext scatter-gather buffer (`struct sk_msg_sg`) are unused writable memory. This can cause subsequent writes to the socket to overwrite the contents of spliced pages, including pages from files to which the caller is not supposed to have write access. Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c5a595000e267
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2258817]
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2259000]
This was fixed for Fedora with the 6.6.7 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0725 https://access.redhat.com/errata/RHSA-2024:0725
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0723 https://access.redhat.com/errata/RHSA-2024:0723
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0724 https://access.redhat.com/errata/RHSA-2024:0724
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2024:0850 https://access.redhat.com/errata/RHSA-2024:0850
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2024:0851 https://access.redhat.com/errata/RHSA-2024:0851
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0876 https://access.redhat.com/errata/RHSA-2024:0876
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0881 https://access.redhat.com/errata/RHSA-2024:0881
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2024:0897 https://access.redhat.com/errata/RHSA-2024:0897
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1251 https://access.redhat.com/errata/RHSA-2024:1251
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1250 https://access.redhat.com/errata/RHSA-2024:1250
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:1248 https://access.redhat.com/errata/RHSA-2024:1248
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1253 https://access.redhat.com/errata/RHSA-2024:1253
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Telecommunications Update Service Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2024:1268 https://access.redhat.com/errata/RHSA-2024:1268
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2024:1269 https://access.redhat.com/errata/RHSA-2024:1269
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Via RHSA-2024:1278 https://access.redhat.com/errata/RHSA-2024:1278
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2024:1306 https://access.redhat.com/errata/RHSA-2024:1306
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2024:1367 https://access.redhat.com/errata/RHSA-2024:1367
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1368 https://access.redhat.com/errata/RHSA-2024:1368
This comment was flagged a spam, view the edit history to see the original text if required.
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:1377 https://access.redhat.com/errata/RHSA-2024:1377
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Telecommunications Update Service Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Via RHSA-2024:1382 https://access.redhat.com/errata/RHSA-2024:1382
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404