CVE-2025-39770

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM<br /> <br /> When performing Generic Segmentation Offload (GSO) on an IPv6 packet that<br /> contains extension headers, the kernel incorrectly requests checksum offload<br /> if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has<br /> a strict contract: it supports checksum offload only for plain TCP or UDP<br /> over IPv6 and explicitly does not support packets with extension headers.<br /> The current GSO logic violates this contract by failing to disable the feature<br /> for packets with extension headers, such as those used in GREoIPv6 tunnels.<br /> <br /> This violation results in the device being asked to perform an operation<br /> it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse<br /> of network throughput. While device TSO/USO is correctly bypassed in favor<br /> of software GSO for these packets, the GSO stack must be explicitly told not<br /> to request checksum offload.<br /> <br /> Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4<br /> in gso_features_check if the IPv6 header contains extension headers to compute<br /> checksum in software.<br /> <br /> The exception is a BIG TCP extension, which, as stated in commit<br /> 68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"):<br /> "The feature is only enabled on devices that support BIG TCP TSO.<br /> The header is only present for PF_PACKET taps like tcpdump,<br /> and not transmitted by physical devices."<br /> <br /> kernel log output (truncated):<br /> WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140<br /> ...<br /> Call Trace:<br /> <br /> skb_checksum_help+0x12a/0x1f0<br /> validate_xmit_skb+0x1a3/0x2d0<br /> validate_xmit_skb_list+0x4f/0x80<br /> sch_direct_xmit+0x1a2/0x380<br /> __dev_xmit_skb+0x242/0x670<br /> __dev_queue_xmit+0x3fc/0x7f0<br /> ip6_finish_output2+0x25e/0x5d0<br /> ip6_finish_output+0x1fc/0x3f0<br /> ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]<br /> ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]<br /> dev_hard_start_xmit+0x63/0x1c0<br /> __dev_queue_xmit+0x6d0/0x7f0<br /> ip6_finish_output2+0x214/0x5d0<br /> ip6_finish_output+0x1fc/0x3f0<br /> ip6_xmit+0x2ca/0x6f0<br /> ip6_finish_output+0x1fc/0x3f0<br /> ip6_xmit+0x2ca/0x6f0<br /> inet6_csk_xmit+0xeb/0x150<br /> __tcp_transmit_skb+0x555/0xa80<br /> tcp_write_xmit+0x32a/0xe90<br /> tcp_sendmsg_locked+0x437/0x1110<br /> tcp_sendmsg+0x2f/0x50<br /> ...<br /> skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e<br /> skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00<br /> skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00<br /> skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00<br /> skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00<br /> skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00<br /> skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9<br /> skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01<br /> skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a