Description

In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); ret = -EINVAL; if (WARN_ON_ONCE(offset >= skb_headlen(skb))) By injecting a TSO packet: WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0 ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774 ip_finish_output_gso net/ipv4/ip_output.c:279 [inline] __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301 iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82 ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813 __gre_xmit net/ipv4/ip_gre.c:469 [inline] ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661 __netdev_start_xmit include/linux/netdevice.h:4850 [inline] netdev_start_xmit include/linux/netdevice.h:4864 [inline] xmit_one net/core/dev.c:3595 [inline] dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611 __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261 packet_snd net/packet/af_packet.c:3073 [inline] The geometry of the bad input packet at tcp_gso_segment: [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0 [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244 [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0)) [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536 ip_summed=3 complete_sw=0 valid=0 level=0) Mitigate with stricter input validation. csum_offset: for GSO packets, deduce the correct value from gso_type. This is already done for USO. Extend it to TSO. Let UFO be: udp[46]_ufo_fragment ignores these fields and always computes the checksum in software. csum_start: finding the real offset requires parsing to the transport header. Do not add a parser, use existing segmentation parsing. Thanks to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded. Again test both TSO and USO. Do not test UFO for the above reason, and do not test UDP tunnel offload. GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit from devices with no checksum offload"), but then still these fields are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no need to test for ip_summed == CHECKSUM_PARTIAL first. This revises an existing fix mentioned in the Fixes tag, which broke small packets with GSO offload, as detected by kselftests.

Metrics

 

CVSS Version 4.0 CVSS Version 3.x CVSS Version 2.0

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score:  5.5 MEDIUM

Vector:  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CVSS 2.0 Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://git.kernel.org/stable/c/2edbb3e8838c672cd7e247e47989df9d03fc6668	Patch
https://git.kernel.org/stable/c/413e785a89f8bde0d4156a54b8ac2fa003c06756
https://git.kernel.org/stable/c/6772c4868a8e7ad5305957cdb834ce881793acb7	Patch
https://git.kernel.org/stable/c/89add40066f9ed9abe5f7f886fe5789ff7e0c50e	Patch
https://git.kernel.org/stable/c/f01c5e335fbb7fb612d40f14a3c02e2612a43d3b	Patch

Weakness Enumeration

CWE-ID	CWE Name	Source
NVD-CWE-noinfo	Insufficient Information	NIST

Known Affected Software Configurations Switch to CPE 2.2

CPEs loading, please wait.

Denotes Vulnerable Software
Are we missing a CPE here? Please let us know.

Change History

4 change records found show changes

CVE Modified by kernel.org 9/12/2024 8:15:50 AM

Action	Type	Old Value	New Value
Added	Reference		kernel.org https://git.kernel.org/stable/c/413e785a89f8bde0d4156a54b8ac2fa003c06756 [No types assigned]

Initial Analysis by NIST 9/05/2024 2:36:30 PM

Action	Type	Old Value	New Value
Added	CVSS V3.1		NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Added	CWE		NIST NVD-CWE-noinfo
Added	CPE Configuration		OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.15.165 up to (excluding) 6.1.107 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.6.44 up to (excluding) 6.6.46 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.10.3 up to (excluding) 6.10.5 *cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
Changed	Reference Type	https://git.kernel.org/stable/c/2edbb3e8838c672cd7e247e47989df9d03fc6668 No Types Assigned	https://git.kernel.org/stable/c/2edbb3e8838c672cd7e247e47989df9d03fc6668 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/6772c4868a8e7ad5305957cdb834ce881793acb7 No Types Assigned	https://git.kernel.org/stable/c/6772c4868a8e7ad5305957cdb834ce881793acb7 Patch
Changed	Reference Type	https://git.kernel.org/stable/c/89add40066f9ed9abe5f7f886fe5789ff7e0c50e No Types Assigned	https://git.kernel.org/stable/c/89add40066f9ed9abe5f7f886fe5789ff7e0c50e Patch
Changed	Reference Type	https://git.kernel.org/stable/c/f01c5e335fbb7fb612d40f14a3c02e2612a43d3b No Types Assigned	https://git.kernel.org/stable/c/f01c5e335fbb7fb612d40f14a3c02e2612a43d3b Patch

CVE Modified by kernel.org 8/29/2024 1:15:08 PM

Action	Type	Old Value	New Value
Added	Reference		kernel.org https://git.kernel.org/stable/c/f01c5e335fbb7fb612d40f14a3c02e2612a43d3b [No types assigned]

New CVE Received from kernel.org 8/26/2024 7:15:04 AM

Action	Type	Old Value	New Value
Added	Description		Record truncated, showing 500 of 2767 characters. View Entire Change Record In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb for GSO packets. The function already checks that a checksum requested with VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets this might not hold for segs after segmentation. Syzkaller demonstrated to reach this warning in skb_checksum_help offset = skb_checksum_start_offset(skb); re
Added	Reference		kernel.org https://git.kernel.org/stable/c/2edbb3e8838c672cd7e247e47989df9d03fc6668 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/6772c4868a8e7ad5305957cdb834ce881793acb7 [No types assigned]
Added	Reference		kernel.org https://git.kernel.org/stable/c/89add40066f9ed9abe5f7f886fe5789ff7e0c50e [No types assigned]