CVE-2022-49340

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> ip_gre: test csum_start instead of transport header<br /> <br /> GRE with TUNNEL_CSUM will apply local checksum offload on<br /> CHECKSUM_PARTIAL packets.<br /> <br /> ipgre_xmit must validate csum_start after an optional skb_pull,<br /> else lco_csum may trigger an overflow. The original check was<br /> <br /> if (csum &amp;&amp; skb_checksum_start(skb) data)<br /> return -EINVAL;<br /> <br /> This had false positives when skb_checksum_start is undefined:<br /> when ip_summed is not CHECKSUM_PARTIAL. A discussed refinement<br /> was straightforward<br /> <br /> if (csum &amp;&amp; skb-&gt;ip_summed == CHECKSUM_PARTIAL &amp;&amp;<br /> skb_checksum_start(skb) data)<br /> return -EINVAL;<br /> <br /> But was eventually revised more thoroughly:<br /> - restrict the check to the only branch where needed, in an<br /> uncommon GRE path that uses header_ops and calls skb_pull.<br /> - test skb_transport_header, which is set along with csum_start<br /> in skb_partial_csum_set in the normal header_ops datapath.<br /> <br /> Turns out skbs can arrive in this branch without the transport<br /> header set, e.g., through BPF redirection.<br /> <br /> Revise the check back to check csum_start directly, and only if<br /> CHECKSUM_PARTIAL. Do leave the check in the updated location.<br /> Check field regardless of whether TUNNEL_CSUM is configured.