In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
Inthe Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linuxkernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSOpackets.The function alreadychecks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is inskblinear.But for GSOpacketsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))Byinjecting a TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073[inline]Thegeometry of the bad inputpacket at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52)trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deducethe correct value from gso_type.This is already done forUSO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computesthechecksum in software.csum_start:finding the real offset requires parsing tothe transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that alsocatches bad packetsthat are hw offloaded.Again test both TSOandUSO.Do not testUFO for the above reason, anddo not test UDP tunneloffload.GSO packet are almost always CHECKSUM_PARTIAL.USOpackets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices withno checksum offload"), but thenstill these fieldsareinitialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneedto test for ip_summed == CHECKSUM_PARTIAL first.This revisesan existing fix mentioned in the Fixes tag, which brokesmall packets with GSOoffload,asdetected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinux kernel, thefollowing vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.Thefunction already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear.Butfor GSOpacketsthismight not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1 PID: 3539at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]Thegeometry ofthe bad input packet at tcp_gso_segment:[ 52.003050][T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correctvalue from gso_type.This is already done for USO. Extendit to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksumin software.csum_start: finding thereal offset requires parsing to the transportheader. Do not add a parser, useexisting segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches badpackets that are hwoffloaded.Again test both TSO and USO. DonottestUFO for theabove reason, anddo not test UDP tunnel offload.GSOpacket are almost always CHECKSUM_PARTIAL. USO packetsmaybeCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksumoffload"), but then still thesefieldsare initializedcorrectly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test forip_summed == CHECKSUM_PARTIAL first.This revises an existingfix mentioned in the Fixes tag, which brokesmall packets with GSO offload, asdetectedbykselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that achecksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset =skb_checksum_start_offset(skb);ret =-EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting aTSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add aparser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks thata checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset= skb_checksum_start_offset(skb);ret= -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU:1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not adda parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmitfrom devices with no checksum offload"), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
In the Linux kernel, the following vulnerability has been resolved:net: drop badgso csum_start and offset in virtio_net_hdrTighten csum_startand csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checksthat a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUMis in skb linear. But forGSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injectinga TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930net/ipv4/ip_tunnel_core.c:82ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline]xmit_onenet/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad inputpacket at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This isalready done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum insoftware.csum_start: finding thereal offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing.Thanksto SKB_GSO_DODGY, that alsocatches bad packets that arehw offloaded.Again test bothTSOandUSO. Do not test UFO for theabove reason, anddo not test UDP tunnel offload.GSO packet are almostalways CHECKSUM_PARTIAL. USO packets maybeCHECKSUM_NONEsince commit 10154dbded6d6 ("udp: AllowGSO transmitfromdevices with no checksum offload"), but then still these fieldsare initialized correctlyinudp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.Thisrevises an existing fix mentioned in the Fixes tag, whichbrokesmall packets with GSO offload, as detected by kselftests.The Linux kernel CVE team has assigned CVE-2024-43897 to this issue.
In the Linux kernel, the following vulnerability has been resolved:net: drop bad gso csum_start and offset in virtio_net_hdrTighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packetsthis might not hold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extend it to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: finding the real offset requires parsing to the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.Again test both TSO and USO. Do not test UFO for the above reason, anddo not test UDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USO packets may beCHECKSUM_NONE since commit 10154dbded6d6 ( udp: Allow GSO transmitfrom devices with no checksum offload ), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So noneed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned in the Fixes tag, which brokesmall packets with GSO offload, as detected by kselftests.
| linux | | https://git.kernel.org/linus/89add40066f9ed9abe5f7f886fe5789ff7e0c50e | https://git.kernel.org/linus/e269d79c7d35aa3808b1f3c1737d63dab504ddc8 | ubuntu |
</details>
二、漏洞分析结构反馈
影响性分析说明:
IntheLinuxkernel,thefollowing vulnerability has been resolved:net: drop bad gso csum_start andoffsetin virtio_net_hdrTighten csum_start and csum_offset checks invirtio_net_hdr_to_skbfor GSO packets.The function already checks that a checksum requestedwithVIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But forGSO packetsthis might nothold for segs after segmentation.Syzkaller demonstrated to reach this warning in skb_checksum_helpoffset = skb_checksum_start_offset(skb);ret = -EINVAL;if (WARN_ON_ONCE(offset >= skb_headlen(skb)))By injecting a TSO packet:WARNING: CPU: 1PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82ip_tunnel_xmit+0x2296/0x2c70net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595[inline]dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline]The geometry of the bad input packet at tcp_gso_segment:[ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0[ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244[ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))[ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536ip_summed=3 complete_sw=0 valid=0 level=0)Mitigate with stricter input validation.csum_offset: for GSO packets, deduce the correct value from gso_type.This is already done for USO. Extendit to TSO. Let UFO be:udp[46]_ufo_fragment ignores these fields and always computes thechecksum in software.csum_start: findingthe real offset requires parsingto the transportheader. Do not add a parser, use existing segmentation parsing. Thanksto SKB_GSO_DODGY, thatalso catches bad packets that arehw offloaded.Again test bothTSO and USO. Do not test UFOfortheabove reason, anddo not testUDP tunnel offload.GSO packet are almost always CHECKSUM_PARTIAL. USOpackets may beCHECKSUM_NONE since commit10154dbded6d6 (udp: Allow GSO transmitfrom devices with nochecksum offload), but then still these fieldsare initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing.Sononeed to test for ip_summed == CHECKSUM_PARTIAL first.This revises an existing fix mentioned inthe Fixes tag, which brokesmall packets with GSO offload,as detected by kselftests.
