CVE-2021-47099

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> veth: ensure skb entering GRO are not cloned.<br /> <br /> After commit d3256efd8e8b ("veth: allow enabling NAPI even without XDP"),<br /> if GRO is enabled on a veth device and TSO is disabled on the peer<br /> device, TCP skbs will go through the NAPI callback. If there is no XDP<br /> program attached, the veth code does not perform any share check, and<br /> shared/cloned skbs could enter the GRO engine.<br /> <br /> Ignat reported a BUG triggered later-on due to the above condition:<br /> <br /> [ 53.970529][ C1] kernel BUG at net/core/skbuff.c:3574!<br /> [ 53.981755][ C1] invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI<br /> [ 53.982634][ C1] CPU: 1 PID: 19 Comm: ksoftirqd/1 Not tainted 5.16.0-rc5+ #25<br /> [ 53.982634][ C1] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015<br /> [ 53.982634][ C1] RIP: 0010:skb_shift+0x13ef/0x23b0<br /> [ 53.982634][ C1] Code: ea 03 0f b6 04 02 48 89 fa 83 e2 07 38 d0<br /> 7f 08 84 c0 0f 85 41 0c 00 00 41 80 7f 02 00 4d 8d b5 d0 00 00 00 0f<br /> 85 74 f5 ff ff 0b 4d 8d 77 20 be 04 00 00 00 4c 89 44 24 78 4c 89<br /> f7 4c 89 8c<br /> [ 53.982634][ C1] RSP: 0018:ffff8881008f7008 EFLAGS: 00010246<br /> [ 53.982634][ C1] RAX: 0000000000000000 RBX: ffff8881180b4c80 RCX: 0000000000000000<br /> [ 53.982634][ C1] RDX: 0000000000000002 RSI: ffff8881180b4d3c RDI: ffff88810bc9cac2<br /> [ 53.982634][ C1] RBP: ffff8881008f70b8 R08: ffff8881180b4cf4 R09: ffff8881180b4cf0<br /> [ 53.982634][ C1] R10: ffffed1022999e5c R11: 0000000000000002 R12: 0000000000000590<br /> [ 53.982634][ C1] R13: ffff88810f940c80 R14: ffff88810f940d50 R15: ffff88810bc9cac0<br /> [ 53.982634][ C1] FS: 0000000000000000(0000) GS:ffff888235880000(0000) knlGS:0000000000000000<br /> [ 53.982634][ C1] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> [ 53.982634][ C1] CR2: 00007ff5f9b86680 CR3: 0000000108ce8004 CR4: 0000000000170ee0<br /> [ 53.982634][ C1] Call Trace:<br /> [ 53.982634][ C1] <br /> [ 53.982634][ C1] tcp_sacktag_walk+0xaba/0x18e0<br /> [ 53.982634][ C1] tcp_sacktag_write_queue+0xe7b/0x3460<br /> [ 53.982634][ C1] tcp_ack+0x2666/0x54b0<br /> [ 53.982634][ C1] tcp_rcv_established+0x4d9/0x20f0<br /> [ 53.982634][ C1] tcp_v4_do_rcv+0x551/0x810<br /> [ 53.982634][ C1] tcp_v4_rcv+0x22ed/0x2ed0<br /> [ 53.982634][ C1] ip_protocol_deliver_rcu+0x96/0xaf0<br /> [ 53.982634][ C1] ip_local_deliver_finish+0x1e0/0x2f0<br /> [ 53.982634][ C1] ip_sublist_rcv_finish+0x211/0x440<br /> [ 53.982634][ C1] ip_list_rcv_finish.constprop.0+0x424/0x660<br /> [ 53.982634][ C1] ip_list_rcv+0x2c8/0x410<br /> [ 53.982634][ C1] __netif_receive_skb_list_core+0x65c/0x910<br /> [ 53.982634][ C1] netif_receive_skb_list_internal+0x5f9/0xcb0<br /> [ 53.982634][ C1] napi_complete_done+0x188/0x6e0<br /> [ 53.982634][ C1] gro_cell_poll+0x10c/0x1d0<br /> [ 53.982634][ C1] __napi_poll+0xa1/0x530<br /> [ 53.982634][ C1] net_rx_action+0x567/0x1270<br /> [ 53.982634][ C1] __do_softirq+0x28a/0x9ba<br /> [ 53.982634][ C1] run_ksoftirqd+0x32/0x60<br /> [ 53.982634][ C1] smpboot_thread_fn+0x559/0x8c0<br /> [ 53.982634][ C1] kthread+0x3b9/0x490<br /> [ 53.982634][ C1] ret_from_fork+0x22/0x30<br /> [ 53.982634][ C1] <br /> <br /> Address the issue by skipping the GRO stage for shared or cloned skbs.<br /> To reduce the chance of OoO, try to unclone the skbs before giving up.<br /> <br /> v1 -&gt; v2:<br /> - use avoid skb_copy and fallback to netif_receive_skb - Eric