CVE-2025-38124

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: fix udp gso skb_segment after pull from frag_list<br /> <br /> Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after<br /> pull from frag_list") detected invalid geometry in frag_list skbs and<br /> redirects them from skb_segment_list to more robust skb_segment. But some<br /> packets with modified geometry can also hit bugs in that code. We don&amp;#39;t<br /> know how many such cases exist. Addressing each one by one also requires<br /> touching the complex skb_segment code, which risks introducing bugs for<br /> other types of skbs. Instead, linearize all these packets that fail the<br /> basic invariants on gso fraglist skbs. That is more robust.<br /> <br /> If only part of the fraglist payload is pulled into head_skb, it will<br /> always cause exception when splitting skbs by skb_segment. For detailed<br /> call stack information, see below.<br /> <br /> Valid SKB_GSO_FRAGLIST skbs<br /> - consist of two or more segments<br /> - the head_skb holds the protocol headers plus first gso_size<br /> - one or more frag_list skbs hold exactly one segment<br /> - all but the last must be gso_size<br /> <br /> Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can<br /> modify fraglist skbs, breaking these invariants.<br /> <br /> In extreme cases they pull one part of data into skb linear. For UDP,<br /> this causes three payloads with lengths of (11,11,10) bytes were<br /> pulled tail to become (12,10,10) bytes.<br /> <br /> The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because<br /> payload was pulled into head_skb, it needs to be linearized before pass<br /> to regular skb_segment.<br /> <br /> skb_segment+0xcd0/0xd14<br /> __udp_gso_segment+0x334/0x5f4<br /> udp4_ufo_fragment+0x118/0x15c<br /> inet_gso_segment+0x164/0x338<br /> skb_mac_gso_segment+0xc4/0x13c<br /> __skb_gso_segment+0xc4/0x124<br /> validate_xmit_skb+0x9c/0x2c0<br /> validate_xmit_skb_list+0x4c/0x80<br /> sch_direct_xmit+0x70/0x404<br /> __dev_queue_xmit+0x64c/0xe5c<br /> neigh_resolve_output+0x178/0x1c4<br /> ip_finish_output2+0x37c/0x47c<br /> __ip_finish_output+0x194/0x240<br /> ip_finish_output+0x20/0xf4<br /> ip_output+0x100/0x1a0<br /> NF_HOOK+0xc4/0x16c<br /> ip_forward+0x314/0x32c<br /> ip_rcv+0x90/0x118<br /> __netif_receive_skb+0x74/0x124<br /> process_backlog+0xe8/0x1a4<br /> __napi_poll+0x5c/0x1f8<br /> net_rx_action+0x154/0x314<br /> handle_softirqs+0x154/0x4b8<br /> <br /> [118.376811] [C201134] rxq0_pus: [name:bug&amp;]kernel BUG at net/core/skbuff.c:4278!<br /> [118.376829] [C201134] rxq0_pus: [name:traps&amp;]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP<br /> [118.470774] [C201134] rxq0_pus: [name:mrdump&amp;]Kernel Offset: 0x178cc00000 from 0xffffffc008000000<br /> [118.470810] [C201134] rxq0_pus: [name:mrdump&amp;]PHYS_OFFSET: 0x40000000<br /> [118.470827] [C201134] rxq0_pus: [name:mrdump&amp;]pstate: 60400005 (nZCv daif +PAN -UAO)<br /> [118.470848] [C201134] rxq0_pus: [name:mrdump&amp;]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14<br /> [118.470900] [C201134] rxq0_pus: [name:mrdump&amp;]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14<br /> [118.470928] [C201134] rxq0_pus: [name:mrdump&amp;]sp : ffffffc008013770