CVE-2024-49979
net: gso: fix tcp fraglist segmentation after pull from frag_list
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
net: gso: fix tcp fraglist segmentation after pull from frag_list
| Assigner | Linux |
| Reserved | 2024-10-21 |
| Published | 2024-10-21 |
| Updated | 2024-11-19 |
In the Linux kernel, the following vulnerability has been resolved: net: gso: fix tcp fraglist segmentation after pull from frag_list Detect tcp gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For TCP, this causes a NULL ptr deref in __tcpv4_gso_segment_list_csum at tcp_hdr(seg->next). Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Approach and description based on a patch by Willem de Bruijn.
https://git.kernel.org/stable/c/3fdd8c83e83fa5e82f1b5585245c51e0355c9f46
https://git.kernel.org/stable/c/2d4a83a44428de45bfe9dccb0192a3711d1097e0
https://git.kernel.org/stable/c/17bd3bd82f9f79f3feba15476c2b2c95a9b11ff8
