CVE-2024-43897

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: drop bad gso csum_start and offset in virtio_net_hdr<br /> <br /> Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skb<br /> for GSO packets.<br /> <br /> The function already checks that a checksum requested with<br /> VIRTIO_NET_HDR_F_NEEDS_CSUM is in skb linear. But for GSO packets<br /> this might not hold for segs after segmentation.<br /> <br /> Syzkaller demonstrated to reach this warning in skb_checksum_help<br /> <br /> offset = skb_checksum_start_offset(skb);<br /> ret = -EINVAL;<br /> if (WARN_ON_ONCE(offset &gt;= skb_headlen(skb)))<br /> <br /> By injecting a TSO packet:<br /> <br /> WARNING: CPU: 1 PID: 3539 at net/core/dev.c:3284 skb_checksum_help+0x3d0/0x5b0<br /> ip_do_fragment+0x209/0x1b20 net/ipv4/ip_output.c:774<br /> ip_finish_output_gso net/ipv4/ip_output.c:279 [inline]<br /> __ip_finish_output+0x2bd/0x4b0 net/ipv4/ip_output.c:301<br /> iptunnel_xmit+0x50c/0x930 net/ipv4/ip_tunnel_core.c:82<br /> ip_tunnel_xmit+0x2296/0x2c70 net/ipv4/ip_tunnel.c:813<br /> __gre_xmit net/ipv4/ip_gre.c:469 [inline]<br /> ipgre_xmit+0x759/0xa60 net/ipv4/ip_gre.c:661<br /> __netdev_start_xmit include/linux/netdevice.h:4850 [inline]<br /> netdev_start_xmit include/linux/netdevice.h:4864 [inline]<br /> xmit_one net/core/dev.c:3595 [inline]<br /> dev_hard_start_xmit+0x261/0x8c0 net/core/dev.c:3611<br /> __dev_queue_xmit+0x1b97/0x3c90 net/core/dev.c:4261<br /> packet_snd net/packet/af_packet.c:3073 [inline]<br /> <br /> The geometry of the bad input packet at tcp_gso_segment:<br /> <br /> [ 52.003050][ T8403] skb len=12202 headroom=244 headlen=12093 tailroom=0<br /> [ 52.003050][ T8403] mac=(168,24) mac_len=24 net=(192,52) trans=244<br /> [ 52.003050][ T8403] shinfo(txflags=0 nr_frags=1 gso(size=1552 type=3 segs=0))<br /> [ 52.003050][ T8403] csum(0x60000c7 start=199 offset=1536<br /> ip_summed=3 complete_sw=0 valid=0 level=0)<br /> <br /> Mitigate with stricter input validation.<br /> <br /> csum_offset: for GSO packets, deduce the correct value from gso_type.<br /> This is already done for USO. Extend it to TSO. Let UFO be:<br /> udp[46]_ufo_fragment ignores these fields and always computes the<br /> checksum in software.<br /> <br /> csum_start: finding the real offset requires parsing to the transport<br /> header. Do not add a parser, use existing segmentation parsing. Thanks<br /> to SKB_GSO_DODGY, that also catches bad packets that are hw offloaded.<br /> Again test both TSO and USO. Do not test UFO for the above reason, and<br /> do not test UDP tunnel offload.<br /> <br /> GSO packet are almost always CHECKSUM_PARTIAL. USO packets may be<br /> CHECKSUM_NONE since commit 10154dbded6d6 ("udp: Allow GSO transmit<br /> from devices with no checksum offload"), but then still these fields<br /> are initialized correctly in udp4_hwcsum/udp6_hwcsum_outgoing. So no<br /> need to test for ip_summed == CHECKSUM_PARTIAL first.<br /> <br /> This revises an existing fix mentioned in the Fixes tag, which broke<br /> small packets with GSO offload, as detected by kselftests.