From 860e16fb65e51b3432428cf23238774492b2d654 Mon Sep 17 00:00:00 2001 From: Jess Sullivan Date: Sat, 9 May 2026 16:19:01 -0400 Subject: [PATCH] docs: refresh CVE and xr11 status --- README.md | 42 +++++++++++++++++++++++++----------------- xr/security/README.md | 4 ++-- xr/source-sync.md | 13 +++++++++---- 3 files changed, 36 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 0f94c8bae446ed..2b514280e802f1 100644 --- a/README.md +++ b/README.md @@ -8,11 +8,11 @@ Fork of `torvalds/linux` with CI-built RPMs carrying VR/XR patches. ## Current State -As of 2026-04-25: +As of 2026-05-09: | Area | Status | Notes | | --- | --- | --- | -| Release artifacts | Proven | Latest public release ships generic and RT RPMs. | +| Release artifacts | Proven, next candidate building | `v6.19.5-xr10` is the latest published secured lab release with generic and RT RPMs. `v6.19.5-xr11` is the current merged build candidate for the expanded Dirty Frag RxRPC RXGK route. | | `honey` rollout | Proven (generic) | `honey` is persistently defaulted to the generic XR kernel lane. | | `honey` RT boot | Reboot-valid, gated | RT boot and `/sys/kernel/realtime=1` verification succeeded; Dell's repeated host packet is cautionary, so regular use still needs downstream deadline evidence. | | `yoga` rollout | Proven one-time generic boot | Generic XR RPM install and one-time boot succeeded; stock Rocky remains the persistent fallback. | @@ -84,8 +84,8 @@ The real RPM release lane remains [`build-kernel.yml`](.github/workflows/build-k | `bigscreen-beyond-edid.patch` | EDID non-desktop quirk for Beyond (BIG/0x1234 + 0x5095) | | `cve-2026-31431-algif-aead.patch` | CVE-2026-31431 stable `6.19.y` security backport, applied automatically for vulnerable 6.19.x bases | | `dirtyfrag-esp-shared-frag.patch` | CVE-2026-43284 Dirty Frag ESP page-cache write hardening, applied automatically for supported vulnerable bases | -| `dirtyfrag-rxrpc-linearize.patch` | Reserved CVE-2026-43500 Dirty Frag RxRPC RXKAD in-place decrypt hardening, applied automatically for supported vulnerable bases | -| `dirtyfrag-rxrpc-rxgk-linearize.patch` | Reserved CVE-2026-43500 Dirty Frag RxRPC RXGK in-place decrypt hardening, applied automatically for supported RXGK-capable vulnerable bases | +| `dirtyfrag-rxrpc-linearize.patch` | CVE-2026-43500 Dirty Frag RxRPC RXKAD in-place decrypt hardening, applied automatically for supported vulnerable bases | +| `dirtyfrag-rxrpc-rxgk-linearize.patch` | CVE-2026-43500 Dirty Frag RxRPC RXGK in-place decrypt hardening, applied automatically for supported RXGK-capable vulnerable bases | | `patch-6.19.3-rt1.patch` | PREEMPT_RT real-time scheduling (RT variant only, downloaded from kernel.org) | XR carry patches are maintained in this repository under [`xr/patches`](xr/patches). @@ -277,7 +277,7 @@ Other vulnerable or unknown bases are refused unless `LINUX_XR_ALLOW_CVE_2026_31431=1` is set for explicit validation. The Dirty Frag gate tracks `CVE-2026-43284` for the ESP shared-frag fix and -the separate reserved `CVE-2026-43500` RxRPC in-place decrypt sinks. +the separate `CVE-2026-43500` RxRPC in-place decrypt sinks. Supported vulnerable bases apply [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch) and/or @@ -290,7 +290,7 @@ as needed. Unsupported vulnerable or unknown bases are refused unless For a no-build check of the active route: ```bash -./xr/scripts/build-rpm.sh --kernel-version 6.19.5 --xr-release 10 --security-preflight-only +./xr/scripts/build-rpm.sh --kernel-version 6.19.5 --xr-release 11 --security-preflight-only ``` For a read-only check of a running host: @@ -313,9 +313,9 @@ adding, dropping, or upstreaming a repo-managed CVE or public security backport. | CVE | Public name | linux-xr status | Repo links | External references | | --- | --- | --- | --- | --- | -| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10` by applying the stable `6.19.y` backport on top of the vulnerable `6.19.5` base; fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) | -| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) | -| CVE-2026-43500 (reserved) | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current linux-xr main also requires the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) | +| CVE-2026-31431 | Copy Fail / `algif_aead` AF_ALG local privilege escalation | Patched in `v6.19.5-xr9` and carried forward in `v6.19.5-xr10`; the merged `v6.19.5-xr11` build route keeps the same stable `6.19.y` backport on top of the vulnerable `6.19.5` base. Fixed natively by upstream affected-range floors such as `6.19.12+`, `6.18.22+`, `6.12.85+`, `6.6.137+`, `6.1.170+`, `5.15.204+`, `5.10.254+`, and `7.0+` bases. | [`xr/security/cve-2026-31431-algif-aead.patch`](xr/security/cve-2026-31431-algif-aead.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`xr/scripts/check-cve-2026-31431-live.sh`](xr/scripts/check-cve-2026-31431-live.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-31431), [Red Hat RHSB-2026-02](https://access.redhat.com/security/vulnerabilities/RHSB-2026-02), [CISA KEV](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431), [Copy Fail](https://copy.fail/) | +| CVE-2026-43284 | Dirty Frag / ESP page-cache write | `v6.19.5-xr10` carries the repo-managed ESP backport on the vulnerable `6.19.5` base, and the merged `v6.19.5-xr11` build route keeps it. Published fixed floors include `5.10.255+`, `5.15.205+`, `6.1.171+`, `6.6.138+`, `6.12.87+`, `6.18.28+`, and `7.0.5+`; EOL `6.19.x` stays conservative and uses the repo backport. | [`xr/security/dirtyfrag-esp-shared-frag.patch`](xr/security/dirtyfrag-esp-shared-frag.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [NVD](https://nvd.nist.gov/vuln/detail/CVE-2026-43284), [CVE record](https://www.cve.org/CVERecord?id=CVE-2026-43284), [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [ESP netdev fix f4c50a4034e6](https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=f4c50a4034e6) | +| CVE-2026-43500 | Dirty Frag / RxRPC page-cache write | `v6.19.5-xr10` carried the first repo-managed RxRPC RXKAD linearize/COW hardening on the vulnerable `6.19.5` base. Current `xr/main` also carries the RXGK linearize/COW backport for `6.18.x`, `6.19.x`, and `7.0.x` bases that include RXGK; `v6.19.5-xr11` is the first merged build candidate expected to publish RXKAD plus RXGK coverage. As of the 2026-05-09 linux-xr check, Debian tracks fixed package builds but NVD/CVE.org are not public here and no kernel.org upstream fixed floor is recorded in the gate, so supported `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases rely on the linux-xr backport route until proven otherwise. | [`xr/security/dirtyfrag-rxrpc-linearize.patch`](xr/security/dirtyfrag-rxrpc-linearize.patch), [`xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch`](xr/security/dirtyfrag-rxrpc-rxgk-linearize.patch), [`xr/scripts/build-rpm.sh`](xr/scripts/build-rpm.sh), [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10), [`xr11` build run](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) | [Dirty Frag](https://github.com/Jesssullivan/dirtyfrag), [Debian CVE tracker](https://security-tracker.debian.org/tracker/CVE-2026-43500), [RxRPC patch route](https://lore.kernel.org/all/afKV2zGR6rrelPC7@v4bel/) | ## SELinux and Security Config @@ -347,7 +347,7 @@ As of 2026-05-09, the latest published secured linux-xr lab release is [`v6.19.5-xr10`](https://github.com/tinyland-inc/linux-xr/releases/tag/v6.19.5-xr10). It keeps the `6.19.5` lab base but carries repo-managed [`CVE-2026-31431`](#known-patched-cves-and-security-backports), -`CVE-2026-43284` Dirty Frag ESP, and reserved-`CVE-2026-43500` Dirty Frag +`CVE-2026-43284` Dirty Frag ESP, and `CVE-2026-43500` Dirty Frag RxRPC backports. The generic `xr10` runtime is boot-proven on `mbp-13` and `honey`; RT artifacts are published but remain gated on explicit RT host validation. Kernel.org now lists @@ -357,6 +357,13 @@ should not become the long-lived lab target. Issue lab line to a selected maintained stable or longterm base and triaging all carry patches. +The current merged build candidate is +[`v6.19.5-xr11`](https://github.com/tinyland-inc/linux-xr/actions/runs/25609434372) +from `xr/main` commit `3b55106d`. It keeps the `6.19.5` compatibility base, +adds the Dirty Frag RxRPC RXGK backport alongside the existing RXKAD route, and +should supersede `xr10` for lab rollout only after generic and RT artifacts are +uploaded and the target hosts boot the exact `6.19.5-11.xr.el10` kernel. + Current ingestion checkpoint: - Generic `6.19.14` is a viable EOL compatibility proof target: the XR carry @@ -366,11 +373,12 @@ Current ingestion checkpoint: - Generic `6.18.28` longterm and `7.0.5` stable are maintained-base candidates: the XR carry patches dry-run cleanly against both tarballs. Both have `CVE-2026-43284` ESP fixed natively and still use the repo-managed - reserved-`CVE-2026-43500` RxRPC route until an upstream fixed floor is proven. + `CVE-2026-43500` RxRPC route until an upstream fixed floor is proven. - Generic `6.12.87` has `CVE-2026-43284` ESP fixed natively and now has a - repo-managed reserved-`CVE-2026-43500` RxRPC route. It remains a fallback - candidate, but its real RPM proof is blocked on a zero-fuzz DSC carry conflict - found in `%prep`. + repo-managed `CVE-2026-43500` RxRPC route. It remains a fallback candidate, + but its next real RPM proof must preserve the Rocky/systemd + `CONFIG_FW_LOADER_USER_HELPER=n` boot contract while allowing newer hardening + symbols that do not exist in `6.12.y` to be absent rather than disabled. - RT `7.0.1-rt2` and `6.19.3-rt1` pass the bounded carry/security preflights; RT `6.18.13-rt4` still fails the CVE-2026-31431 gate. Keep RT promotion separate from the generic SOTA target until a same-base RT patchset or local @@ -388,9 +396,9 @@ Current ingestion checkpoint: | Patch/workstream | Upstream status | Next action | |-------|----------------|-----| -| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base | Keep fleet rollout on `xr10`, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. | -| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the current secured lab release, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. | -| CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the reserved CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; linux-xr carries RXKAD and RXGK linearize/COW backports until that upstream floor is proven | Keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. | +| CVE-2026-31431 / Copy Fail / `algif_aead` | Fixed upstream in `7.0` and stable affected-range floors including `6.19.12`, `6.18.22`, `6.12.85`, `6.6.137`, `6.1.170`, `5.15.204`, and `5.10.254`; `v6.19.5-xr10` carries the `6.19.y` backport on the current `6.19.5` lab base, and the merged `xr11` candidate keeps it | Keep fleet rollout on `xr10` until `xr11` artifacts pass and host boot evidence exists, then rebase the generic lane to a maintained target such as `7.0.5` stable or `6.18.28` longterm under issue #37. Treat stock 6.12-class hosts as exposed to Dirty Frag RxRPC unless a vendor backport, mitigation, or linux-xr route is proven and installed. | +| CVE-2026-43284 / Dirty Frag ESP page-cache write | ESP shared-frag fix is in netdev/net commit `f4c50a4034e6` and published in stable floors including `6.12.87`, `6.18.28`, and `7.0.5`; the EOL `6.19.5` lab base remains protected by the repo backport | Keep `v6.19.5-xr10` as the latest published secured lab release until `xr11` artifacts pass, stop treating fixed maintained bases as needing the ESP backport, and keep `6.12.87` as a fallback candidate only after an RPM proof succeeds. | +| CVE-2026-43500 / Dirty Frag RxRPC page-cache write | Debian now tracks the CVE and carries an `skb->data_len` RxRPC fix, but no NVD/CVE.org record or kernel.org upstream fixed floor is visible from the 2026-05-09 linux-xr check; linux-xr carries RXKAD and RXGK linearize/COW backports until that upstream floor is proven | Publish and boot-validate `xr11` for the EOL `6.19.5` lab line, and keep carrying RxRPC on source-sync candidates until upstream/vendor fixed floors are proven. | | VESA DisplayID DSC BPP parser / amdgpu handling | In-flight upstream series; not present in current upstream checkout | Track Bolyukin v7 fixed-DSC-BPP series and drop this part when it lands. | | QP table + RC offset adjustments | Local carry; not submitted as a standalone upstream series | Split from the DisplayID parser carry using `xr/patches/0007-vesa-dsc-bpp.map.md` and decide whether this is evidence-backed upstream material or host-only risk. | | EDID non-desktop quirk for `BIG/0x1234` and `BIG/0x5095` | Absent from current upstream checkout | Follow `xr/patches/bigscreen-beyond-edid.route.md`: local `BIG/0x1234` evidence now proves `non-desktop=1`; next regenerate an upstream/drm-misc topic patch and send via the DRM route. | diff --git a/xr/security/README.md b/xr/security/README.md index 27e77966f48c6f..f0e544235bc089 100644 --- a/xr/security/README.md +++ b/xr/security/README.md @@ -11,8 +11,8 @@ feature carry; use `xr/patches/` for that path. | --- | --- | --- | | `cve-2026-31431-algif-aead.patch` | Linux stable `6.19.y` commit `ce42ee423e58`, backporting mainline `a664bf3d603d` | Applied automatically for vulnerable `6.19.x` bases before RT and XR carry patches | | `dirtyfrag-esp-shared-frag.patch` | `CVE-2026-43284` Dirty Frag ESP mitigation from netdev/net commit `f4c50a4034e6` | Applied automatically for supported vulnerable `6.18.x`, `6.19.x`, and pre-`7.0.5` `7.0.x` bases before RT and XR carry patches; fixed maintained bases such as `6.12.87`, `6.18.28`, and `7.0.5` do not need this backport | -| `dirtyfrag-rxrpc-linearize.patch` | Reserved `CVE-2026-43500` linux-xr RXKAD backport adapted from the public Dirty Frag RxRPC patch route | Applied automatically for supported vulnerable `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases before RT and XR carry patches until an upstream fixed floor is published and proven | -| `dirtyfrag-rxrpc-rxgk-linearize.patch` | Reserved `CVE-2026-43500` linux-xr RXGK backport for DATA/RESPONSE in-place decrypt paths | Applied automatically with the RXKAD backport for supported vulnerable `6.18.x`, `6.19.x`, and `7.0.x` bases that carry RXGK until an upstream fixed floor is published and proven | +| `dirtyfrag-rxrpc-linearize.patch` | `CVE-2026-43500` linux-xr RXKAD backport adapted from the public Dirty Frag RxRPC patch route; Debian now tracks fixed package builds, but this repo has not yet recorded a kernel.org fixed floor | Applied automatically for supported vulnerable `6.12.x`, `6.18.x`, `6.19.x`, and `7.0.x` bases before RT and XR carry patches until an upstream fixed floor is published and proven | +| `dirtyfrag-rxrpc-rxgk-linearize.patch` | `CVE-2026-43500` linux-xr RXGK backport for DATA/RESPONSE in-place decrypt paths; `v6.19.5-xr11` is the first merged build candidate expected to publish RXKAD plus RXGK coverage on the EOL `6.19.5` lab base | Applied automatically with the RXKAD backport for supported vulnerable `6.18.x`, `6.19.x`, and `7.0.x` bases that carry RXGK until an upstream fixed floor is published and proven | Other affected kernel lines remain guarded by `xr/scripts/build-rpm.sh`, but do not have repo-managed backports here. Use a fixed upstream floor, vendor-fixed diff --git a/xr/source-sync.md b/xr/source-sync.md index cab23c8d16811d..2c7ea796410415 100644 --- a/xr/source-sync.md +++ b/xr/source-sync.md @@ -9,11 +9,16 @@ As of 2026-05-09: - Current lab release line: `v6.19.5-xr10` is published and boot-proven on `mbp-13` and `honey` +- Current merged build candidate: `v6.19.5-xr11` from `xr/main` commit + `3b55106d`, carrying `CVE-2026-31431`, `CVE-2026-43284`, and both + `CVE-2026-43500` RxRPC RXKAD/RXGK backports. It should not replace `xr10` + in rollout docs until generic and RT artifacts are uploaded and target hosts + boot the exact `6.19.5-11.xr.el10` kernel. - Bounded EOL compatibility proof target: `v6.19.14` - Maintained generic candidate targets: `v7.0.5` stable and `v6.18.28` longterm - Longterm fallback watch: `v6.12.87`, still pending a successful RPM proof. `6.12.87` has `CVE-2026-43284` ESP fixed natively and now has a - repo-managed reserved-`CVE-2026-43500` RxRPC build route. The zero-fuzz DSC + repo-managed `CVE-2026-43500` RxRPC build route. The zero-fuzz DSC carry conflict is fixed; the next proof gate is preserving the `CONFIG_FW_LOADER_USER_HELPER=n` systemd/Rocky boot contract on this older Kconfig while allowing hardening symbols that do not exist yet in `6.12.y` to @@ -62,9 +67,9 @@ Required checks before moving build defaults or release tags: ``` The `6.12.87` tarball contains the `CVE-2026-43284` ESP shared-frag hardening, -but the `rxkad.c` tree does not contain the reserved-`CVE-2026-43500` Dirty -Frag RxRPC linearize/COW hardening. Newer RXGK-capable bases also need the -linux-xr RXGK response/DATA hardening until an upstream fixed floor is proven. +but the `rxkad.c` tree does not contain the `CVE-2026-43500` Dirty Frag RxRPC +linearize/COW hardening. Newer RXGK-capable bases also need the linux-xr RXGK +response/DATA hardening until an upstream fixed floor is proven. Do not promote `6.12.87` as a linux-xr fallback until a real RPM proof succeeds with the RxRPC security route and the systemd/Rocky firmware-loader helper guard intact.