CVE-2024-49949

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: avoid potential underflow in qdisc_pkt_len_init() with UFO<br /> <br /> After commit 7c6d2ecbda83 ("net: be more gentle about silly gso<br /> requests coming from user") virtio_net_hdr_to_skb() had sanity check<br /> to detect malicious attempts from user space to cook a bad GSO packet.<br /> <br /> Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count<br /> transport header in UFO") while fixing one issue, allowed user space<br /> to cook a GSO packet with the following characteristic :<br /> <br /> IPv4 SKB_GSO_UDP, gso_size=3, skb-&gt;len = 28.<br /> <br /> When this packet arrives in qdisc_pkt_len_init(), we end up<br /> with hdr_len = 28 (IPv4 header + UDP header), matching skb-&gt;len<br /> <br /> Then the following sets gso_segs to 0 :<br /> <br /> gso_segs = DIV_ROUND_UP(skb-&gt;len - hdr_len,<br /> shinfo-&gt;gso_size);<br /> <br /> Then later we set qdisc_skb_cb(skb)-&gt;pkt_len to back to zero :/<br /> <br /> qdisc_skb_cb(skb)-&gt;pkt_len += (gso_segs - 1) * hdr_len;<br /> <br /> This leads to the following crash in fq_codel [1]<br /> <br /> qdisc_pkt_len_init() is best effort, we only want an estimation<br /> of the bytes sent on the wire, not crashing the kernel.<br /> <br /> This patch is fixing this particular issue, a following one<br /> adds more sanity checks for another potential bug.<br /> <br /> [1]<br /> [ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000<br /> [ 70.724561] #PF: supervisor read access in kernel mode<br /> [ 70.724561] #PF: error_code(0x0000) - not-present page<br /> [ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0<br /> [ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI<br /> [ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991<br /> [ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> [ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel<br /> [ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49<br /> All code<br /> ========<br /> 0: 24 08 and $0x8,%al<br /> 2: 49 c1 e1 06 shl $0x6,%r9<br /> 6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)<br /> b: 45 31 ed xor %r13d,%r13d<br /> e: 45 31 c0 xor %r8d,%r8d<br /> 11: 31 ff xor %edi,%edi<br /> 13: 89 44 24 14 mov %eax,0x14(%rsp)<br /> 17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9<br /> 1e: eb 04 jmp 0x24<br /> 20: 39 ca cmp %ecx,%edx<br /> 22: 73 37 jae 0x5b<br /> 24: 4d 8b 39 mov (%r9),%r15<br /> 27: 83 c7 01 add $0x1,%edi<br /> 2a:* 49 8b 17 mov (%r15),%rdx