From 93dc4016946e8e3e0a2e7228ede765c408e85f88 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 19 May 2026 23:33:56 +0000
Subject: [PATCH 1/4] Initial plan


From 2cbeac72007d725b0058f9392e05198abcb93291 Mon Sep 17 00:00:00 2001
From: Deepu Thomas <dethoma@ntdev.microsoft.com>
Date: Tue, 19 May 2026 11:43:34 -0700
Subject: [PATCH 2/4] kernel: disable CONFIG_RDS on aarch64 to match x86_64

The x86_64 kernel config has had CONFIG_RDS disabled since 5.4.23-11
(May 2020), but the aarch64 config retained CONFIG_RDS=m, CONFIG_RDS_TCP=m,
and CONFIG_RDS_RDMA=m. This was an oversight in the original change which
predated full aarch64 support in CBL-Mariner, and has persisted across
every kernel rebase since.

Align aarch64 with x86_64. RDS (Oracle Reliable Datagram Sockets) has no
expected use in Azure Linux guest workloads, and recent CVEs in the RDS
zerocopy send path (e.g. PinTheft LPE disclosed 2026-05-19) reinforce
that the protocol should not be reachable on hosts that don't need it.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
---
 SPECS/kernel/config_aarch64         | 5 +----
 SPECS/kernel/kernel.signatures.json | 2 +-
 SPECS/kernel/kernel.spec            | 9 ++++++++-
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/SPECS/kernel/config_aarch64 b/SPECS/kernel/config_aarch64
index 7f03e360022..a081d5fbcfd 100644
--- a/SPECS/kernel/config_aarch64
+++ b/SPECS/kernel/config_aarch64
@@ -1657,10 +1657,7 @@ CONFIG_SCTP_DEFAULT_COOKIE_HMAC_SHA1=y
 CONFIG_SCTP_COOKIE_HMAC_MD5=y
 CONFIG_SCTP_COOKIE_HMAC_SHA1=y
 CONFIG_INET_SCTP_DIAG=m
-CONFIG_RDS=m
-CONFIG_RDS_RDMA=m
-CONFIG_RDS_TCP=m
-# CONFIG_RDS_DEBUG is not set
+# CONFIG_RDS is not set
 CONFIG_TIPC=m
 CONFIG_TIPC_MEDIA_IB=y
 CONFIG_TIPC_MEDIA_UDP=y
diff --git a/SPECS/kernel/kernel.signatures.json b/SPECS/kernel/kernel.signatures.json
index 8beb1041c9b..6e0a940238a 100644
--- a/SPECS/kernel/kernel.signatures.json
+++ b/SPECS/kernel/kernel.signatures.json
@@ -2,7 +2,7 @@
   "Signatures": {
     "azurelinux-ca-20230216.pem": "d545401163c75878319f01470455e6bc18a5968e39dd964323225e3fe308849b",
     "config": "09474b8388008baf182997b999d691f71331ac2d266a9c0a5414c58923135070",
-    "config_aarch64": "242765f15998ffcbce7a3f577e69a1657de836b8906afe510cd9490920fd2619",
+    "config_aarch64": "8781dab223c2657730384cd194d5b647b56b63e8712e390bf4f24399bc9c27ee",
     "cpupower": "d7518767bf2b1110d146a49c7d42e76b803f45eb8bd14d931aa6d0d346fae985",
     "cpupower.service": "b057fe9e5d0e8c36f485818286b80e3eba8ff66ff44797940e99b1fd5361bb98",
     "sha512hmac-openssl.sh": "02ab91329c4be09ee66d759e4d23ac875037c3b56e5a598e32fd1206da06a27f",
diff --git a/SPECS/kernel/kernel.spec b/SPECS/kernel/kernel.spec
index b972257310c..2e84582b50b 100644
--- a/SPECS/kernel/kernel.spec
+++ b/SPECS/kernel/kernel.spec
@@ -32,7 +32,7 @@
 Summary:        Linux Kernel
 Name:           kernel
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -440,6 +440,13 @@ echo "initrd of kernel %{uname_r} removed" >&2
 %{_sysconfdir}/bash_completion.d/bpftool
 
 %changelog
+* Tue May 19 2026 Deepu Thomas <dethoma@microsoft.com> - 6.6.139.1-2
+- Disable Reliable Datagram Sockets protocol (CONFIG_RDS) on aarch64 to
+  match x86_64. Closes a long-standing config divergence dating to 2020
+  (5.4.23-11) where RDS was disabled on x86_64 only. Mitigates exposure
+  to RDS-specific LPEs such as PinTheft (rds_message_zcopy_from_user
+  double-free, oss-security 2026/05/19).
+
 * Fri May 15 2026 CBL-Mariner Servicing Account <cblmargh@microsoft.com> - 6.6.139.1-1
 - Auto-upgrade to 6.6.139.1
 

From 56caf7f1816eef3a27f56ad8266d5c82ab806c1e Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 19 May 2026 22:42:33 +0000
Subject: [PATCH 3/4] fix: align kernel spec releases for entanglement check

Agent-Logs-Url: https://github.com/microsoft/azurelinux/sessions/3248fcc9-0a83-4171-ab2c-16d383ac50e4

Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
---
 SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec | 2 +-
 SPECS-SIGNED/kernel-signed/kernel-signed.spec         | 2 +-
 SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec | 2 +-
 SPECS/kernel-64k/kernel-64k.spec                      | 2 +-
 SPECS/kernel-headers/kernel-headers.spec              | 2 +-
 SPECS/kernel/kernel-uki.spec                          | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
index 18b50b23ba8..d218d553552 100644
--- a/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
+++ b/SPECS-SIGNED/kernel-64k-signed/kernel-64k-signed.spec
@@ -7,7 +7,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-64k-signed-%{buildarch}
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
diff --git a/SPECS-SIGNED/kernel-signed/kernel-signed.spec b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
index 1216f778282..eb853cf743f 100644
--- a/SPECS-SIGNED/kernel-signed/kernel-signed.spec
+++ b/SPECS-SIGNED/kernel-signed/kernel-signed.spec
@@ -10,7 +10,7 @@
 Summary:        Signed Linux Kernel for %{buildarch} systems
 Name:           kernel-signed-%{buildarch}
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
diff --git a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
index 7b213ca4535..2fce2737cae 100644
--- a/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
+++ b/SPECS-SIGNED/kernel-uki-signed/kernel-uki-signed.spec
@@ -6,7 +6,7 @@
 Summary:        Signed Unified Kernel Image for %{buildarch} systems
 Name:           kernel-uki-signed-%{buildarch}
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
diff --git a/SPECS/kernel-64k/kernel-64k.spec b/SPECS/kernel-64k/kernel-64k.spec
index 27262f66011..1078faf0f30 100644
--- a/SPECS/kernel-64k/kernel-64k.spec
+++ b/SPECS/kernel-64k/kernel-64k.spec
@@ -27,7 +27,7 @@
 Summary:        Linux Kernel
 Name:           kernel-64k
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
diff --git a/SPECS/kernel-headers/kernel-headers.spec b/SPECS/kernel-headers/kernel-headers.spec
index 6cfc3a6747c..782422f6c56 100644
--- a/SPECS/kernel-headers/kernel-headers.spec
+++ b/SPECS/kernel-headers/kernel-headers.spec
@@ -14,7 +14,7 @@
 Summary:        Linux API header files
 Name:           kernel-headers
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
diff --git a/SPECS/kernel/kernel-uki.spec b/SPECS/kernel/kernel-uki.spec
index d5a4bb41179..abcadc187f4 100644
--- a/SPECS/kernel/kernel-uki.spec
+++ b/SPECS/kernel/kernel-uki.spec
@@ -13,7 +13,7 @@
 Summary:        Unified Kernel Image
 Name:           kernel-uki
 Version:        6.6.139.1
-Release:        1%{?dist}
+Release:        2%{?dist}
 License:        GPLv2
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux

From 5d93d288774cd6b02e735b6ba8df05d3cc498ebd Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Tue, 19 May 2026 23:40:34 +0000
Subject: [PATCH 4/4] fix: update manifests for kernel-headers release 2 bump
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The kernel.spec Release was bumped from 1 to 2 (for RDS config change on aarch64) and the entanglement check required kernel-headers.spec to be bumped to Release 2 as well. However, the toolchain and pkggen manifests were not updated to reference the new kernel-headers-6.6.139.1-2.azl3.noarch.rpm RPM names.

Update all four manifest files:
- toolkit/resources/manifests/package/toolchain_x86_64.txt
- toolkit/resources/manifests/package/toolchain_aarch64.txt
- toolkit/resources/manifests/package/pkggen_core_x86_64.txt
- toolkit/resources/manifests/package/pkggen_core_aarch64.txt

to replace kernel-headers-6.6.139.1-1.azl3 → kernel-headers-6.6.139.1-2.azl3 and
kernel-cross-headers-6.6.139.1-1.azl3 → kernel-cross-headers-6.6.139.1-2.azl3.

Agent-Logs-Url: https://github.com/microsoft/azurelinux/sessions/559043db-bb88-48a8-baf4-5b4b6b0a607a

Co-authored-by: dethoma <11412958+dethoma@users.noreply.github.com>
---
 toolkit/resources/manifests/package/pkggen_core_aarch64.txt | 2 +-
 toolkit/resources/manifests/package/pkggen_core_x86_64.txt  | 2 +-
 toolkit/resources/manifests/package/toolchain_aarch64.txt   | 2 +-
 toolkit/resources/manifests/package/toolchain_x86_64.txt    | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
index ba557f57e4b..5628b4b022b 100644
--- a/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_aarch64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.aarch64.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 glibc-2.38-19.azl3.aarch64.rpm
 glibc-devel-2.38-19.azl3.aarch64.rpm
 glibc-i18n-2.38-19.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
index 0016d7f983d..9668a17d575 100644
--- a/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
+++ b/toolkit/resources/manifests/package/pkggen_core_x86_64.txt
@@ -1,5 +1,5 @@
 filesystem-1.1-21.azl3.x86_64.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 glibc-2.38-19.azl3.x86_64.rpm
 glibc-devel-2.38-19.azl3.x86_64.rpm
 glibc-i18n-2.38-19.azl3.x86_64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_aarch64.txt b/toolkit/resources/manifests/package/toolchain_aarch64.txt
index edd476ee940..35d87207ee7 100644
--- a/toolkit/resources/manifests/package/toolchain_aarch64.txt
+++ b/toolkit/resources/manifests/package/toolchain_aarch64.txt
@@ -158,7 +158,7 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.aarch64.rpm
 kbd-debuginfo-2.2.0-2.azl3.aarch64.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 kmod-30-1.azl3.aarch64.rpm
 kmod-debuginfo-30-1.azl3.aarch64.rpm
 kmod-devel-30-1.azl3.aarch64.rpm
diff --git a/toolkit/resources/manifests/package/toolchain_x86_64.txt b/toolkit/resources/manifests/package/toolchain_x86_64.txt
index e7f71e1b396..779c1d014ab 100644
--- a/toolkit/resources/manifests/package/toolchain_x86_64.txt
+++ b/toolkit/resources/manifests/package/toolchain_x86_64.txt
@@ -165,8 +165,8 @@ intltool-0.51.0-7.azl3.noarch.rpm
 itstool-2.0.7-1.azl3.noarch.rpm
 kbd-2.2.0-2.azl3.x86_64.rpm
 kbd-debuginfo-2.2.0-2.azl3.x86_64.rpm
-kernel-cross-headers-6.6.139.1-1.azl3.noarch.rpm
-kernel-headers-6.6.139.1-1.azl3.noarch.rpm
+kernel-cross-headers-6.6.139.1-2.azl3.noarch.rpm
+kernel-headers-6.6.139.1-2.azl3.noarch.rpm
 kmod-30-1.azl3.x86_64.rpm
 kmod-debuginfo-30-1.azl3.x86_64.rpm
 kmod-devel-30-1.azl3.x86_64.rpm