ghsa-frr7-rgvg-v3p9
Vulnerability from github
Published
2024-08-22 06:30
Modified
2024-08-22 21:31
Details

In the Linux kernel, the following vulnerability has been resolved:

gso: do not skip outer ip header in case of ipip and net_failover

We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtio_net nic with net_failover enabled. VM acts as a IPVS LB with ipip encapsulation. The full path like: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx

When net_failover transmits a ipip pkt (gso_type = 0x0103, which means SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso did because it supports TSO and GSO_IPXIP4. But network_header points to inner ip header.

Call Trace: tcp4_gso_segment ------> return NULL inet_gso_segment ------> inner iph, network_header points to ipip_gso_segment inet_gso_segment ------> outer iph skb_mac_gso_segment

Afterwards virtio_net transmits the pkt, only inner ip header is modified. And the outer one just keeps unchanged. The pkt will be dropped in remote host.

Call Trace: inet_gso_segment ------> inner iph, outer iph is skipped skb_mac_gso_segment __skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------> virtio_net dev_hard_start_xmit __dev_queue_xmit ------> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit ------> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receive receive_buf virtnet_poll net_rx_action

The root cause of this issue is specific with the rare combination of SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. SKB_GSO_DODGY is set from external virtio_net. We need to reset network header when callbacks.gso_segment() returns NULL.

This patch also includes ipv6_gso_segment(), considering SIT, etc.

Show details on source website


{
  "affected": [],
  "aliases": [
    "CVE-2022-48936"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T04:15:16Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ngso: do not skip outer ip header in case of ipip and net_failover\n\nWe encounter a tcp drop issue in our cloud environment. Packet GROed in\nhost forwards to a VM virtio_net nic with net_failover enabled. VM acts\nas a IPVS LB with ipip encapsulation. The full path like:\nhost gro -\u003e vm virtio_net rx -\u003e net_failover rx -\u003e ipvs fullnat\n -\u003e ipip encap -\u003e net_failover tx -\u003e virtio_net tx\n\nWhen net_failover transmits a ipip pkt (gso_type = 0x0103, which means\nSKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso\ndid because it supports TSO and GSO_IPXIP4. But network_header points to\ninner ip header.\n\nCall Trace:\n tcp4_gso_segment        ------\u003e return NULL\n inet_gso_segment        ------\u003e inner iph, network_header points to\n ipip_gso_segment\n inet_gso_segment        ------\u003e outer iph\n skb_mac_gso_segment\n\nAfterwards virtio_net transmits the pkt, only inner ip header is modified.\nAnd the outer one just keeps unchanged. The pkt will be dropped in remote\nhost.\n\nCall Trace:\n inet_gso_segment        ------\u003e inner iph, outer iph is skipped\n skb_mac_gso_segment\n __skb_gso_segment\n validate_xmit_skb\n validate_xmit_skb_list\n sch_direct_xmit\n __qdisc_run\n __dev_queue_xmit        ------\u003e virtio_net\n dev_hard_start_xmit\n __dev_queue_xmit        ------\u003e net_failover\n ip_finish_output2\n ip_output\n iptunnel_xmit\n ip_tunnel_xmit\n ipip_tunnel_xmit        ------\u003e ipip\n dev_hard_start_xmit\n __dev_queue_xmit\n ip_finish_output2\n ip_output\n ip_forward\n ip_rcv\n __netif_receive_skb_one_core\n netif_receive_skb_internal\n napi_gro_receive\n receive_buf\n virtnet_poll\n net_rx_action\n\nThe root cause of this issue is specific with the rare combination of\nSKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option.\nSKB_GSO_DODGY is set from external virtio_net. We need to reset network\nheader when callbacks.gso_segment() returns NULL.\n\nThis patch also includes ipv6_gso_segment(), considering SIT, etc.",
  "id": "GHSA-frr7-rgvg-v3p9",
  "modified": "2024-08-22T21:31:29Z",
  "published": "2024-08-22T06:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48936"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.