CVE-2025-38622
Publication date:
22/08/2025
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
net: drop UFO packets in udp_rcv_segment()<br />
<br />
When sending a packet with virtio_net_hdr to tun device, if the gso_type<br />
in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr<br />
size, below crash may happen.<br />
<br />
------------[ cut here ]------------<br />
kernel BUG at net/core/skbuff.c:4572!<br />
Oops: invalid opcode: 0000 [#1] SMP NOPTI<br />
CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)<br />
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014<br />
RIP: 0010:skb_pull_rcsum+0x8e/0xa0<br />
Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc 0b 0f 0b 66 66 2e 0f 1f 84 00 000<br />
RSP: 0018:ffffc900001fba38 EFLAGS: 00000297<br />
RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948<br />
RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062<br />
RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001<br />
R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000<br />
R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900<br />
FS: 000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000<br />
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br />
CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0<br />
Call Trace:<br />
<br />
udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445<br />
udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475<br />
udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626<br />
__udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690<br />
ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205<br />
ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233<br />
ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579<br />
ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636<br />
ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670<br />
__netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067<br />
netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210<br />
napi_complete_done+0x78/0x180 net/core/dev.c:6580<br />
tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909<br />
tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984<br />
vfs_write+0x300/0x420 fs/read_write.c:593<br />
ksys_write+0x60/0xd0 fs/read_write.c:686<br />
do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63<br />
<br />
<br />
To trigger gso segment in udp_queue_rcv_skb(), we should also set option<br />
UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv<br />
hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try<br />
to pull udphdr, but the skb size has been segmented to gso size, which<br />
leads to this crash.<br />
<br />
Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection")<br />
introduces segmentation in UDP receive path only for GRO, which was never<br />
intended to be used for UFO, so drop UFO packets in udp_rcv_segment().
Severity CVSS v4.0: Pending analysis
Last modification:
07/01/2026