CVE-2024-35884

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> udp: do not accept non-tunnel GSO skbs landing in a tunnel<br /> <br /> When rx-udp-gro-forwarding is enabled UDP packets might be GROed when<br /> being forwarded. If such packets might land in a tunnel this can cause<br /> various issues and udp_gro_receive makes sure this isn&amp;#39;t the case by<br /> looking for a matching socket. This is performed in<br /> udp4/6_gro_lookup_skb but only in the current netns. This is an issue<br /> with tunneled packets when the endpoint is in another netns. In such<br /> cases the packets will be GROed at the UDP level, which leads to various<br /> issues later on. The same thing can happen with rx-gro-list.<br /> <br /> We saw this with geneve packets being GROed at the UDP level. In such<br /> case gso_size is set; later the packet goes through the geneve rx path,<br /> the geneve header is pulled, the offset are adjusted and frag_list skbs<br /> are not adjusted with regard to geneve. When those skbs hit<br /> skb_fragment, it will misbehave. Different outcomes are possible<br /> depending on what the GROed skbs look like; from corrupted packets to<br /> kernel crashes.<br /> <br /> One example is a BUG_ON[1] triggered in skb_segment while processing the<br /> frag_list. Because gso_size is wrong (geneve header was pulled)<br /> skb_segment thinks there is "geneve header size" of data in frag_list,<br /> although it&amp;#39;s in fact the next packet. The BUG_ON itself has nothing to<br /> do with the issue. This is only one of the potential issues.<br /> <br /> Looking up for a matching socket in udp_gro_receive is fragile: the<br /> lookup could be extended to all netns (not speaking about performances)<br /> but nothing prevents those packets from being modified in between and we<br /> could still not find a matching socket. It&amp;#39;s OK to keep the current<br /> logic there as it should cover most cases but we also need to make sure<br /> we handle tunnel packets being GROed too early.<br /> <br /> This is done by extending the checks in udp_unexpected_gso: GSO packets<br /> lacking the SKB_GSO_UDP_TUNNEL/_CSUM bits and landing in a tunnel must<br /> be segmented.<br /> <br /> [1] kernel BUG at net/core/skbuff.c:4408!<br /> RIP: 0010:skb_segment+0xd2a/0xf70<br /> __udp_gso_segment+0xaa/0x560