CVE-2022-48936 Information

Aug 24, 2024 cve

Description

In the Linux kernel the following vulnerability has been resolved:

gso: do not skip outer ip header in case of ipip and net_failover

We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtio_net nic with net_failover enabled. VM acts as a IPVS LB with ipip encapsulation. The full path like: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx

When net_failover transmits a ipip pkt (gso_type = 0x0103 which means SKB_GSO_TCPV4 SKB_GSO_DODGY and SKB_GSO_IPXIP4) there is no gso did because it supports TSO and GSO_IPXIP4. But network_header points to inner ip header.

Call Trace: tcp4_gso_segment ——> return NULL inet_gso_segment ——> inner iph network_header points to ipip_gso_segment inet_gso_segment ——> outer iph skb_mac_gso_segment

Afterwards virtio_net transmits the pkt only inner ip header is modified. And the outer one just keeps unchanged. The pkt will be dropped in remote host.

Call Trace: inet_gso_segment ——> inner iph outer iph is skipped skb_mac_gso_segment __skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ——> virtio_net dev_hard_start_xmit __dev_queue_xmit ——> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit ——> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receive receive_buf virtnet_poll net_rx_action

The root cause of this issue is specific with the rare combination of SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. SKB_GSO_DODGY is set from external virtio_net. We need to reset network header when callbacks.gso_segment() returns NULL.

This patch also includes ipv6_gso_segment() considering SIT etc.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7 https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73 https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39 https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395 https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499 https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5

Share on: