Products
Linux kernel
linux_kernel
- *
Source
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Tags
CVE-2022-48936 details
Last Modified : Aug. 22, 2024, 7:03 p.m.
Description
In the Linux kernel, the following vulnerability has been resolved: gso: do not skip outer ip header in case of ipip and net_failover We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtio_net nic with net_failover enabled. VM acts as a IPVS LB with ipip encapsulation. The full path like: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx When net_failover transmits a ipip pkt (gso_type = 0x0103, which means SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso did because it supports TSO and GSO_IPXIP4. But network_header points to inner ip header. Call Trace: tcp4_gso_segment ------> return NULL inet_gso_segment ------> inner iph, network_header points to ipip_gso_segment inet_gso_segment ------> outer iph skb_mac_gso_segment Afterwards virtio_net transmits the pkt, only inner ip header is modified. And the outer one just keeps unchanged. The pkt will be dropped in remote host. Call Trace: inet_gso_segment ------> inner iph, outer iph is skipped skb_mac_gso_segment __skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit ------> virtio_net dev_hard_start_xmit __dev_queue_xmit ------> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit ------> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receive receive_buf virtnet_poll net_rx_action The root cause of this issue is specific with the rare combination of SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. SKB_GSO_DODGY is set from external virtio_net. We need to reset network header when callbacks.gso_segment() returns NULL. This patch also includes ipv6_gso_segment(), considering SIT, etc.
CVSS Score
1 | 2 | 3 | 4 | 5.5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
5.5
Exploitability Score
1.8
Impact Score
3.6
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
References
URL | Source |
---|---|
https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73 | 416baaa9-dc9f-4396-8d5f-8c081fb06d67 |
CPEs
Type | Vendor | Product | Version | Update | Edition | Language | Software Edition | Target Software | Target Hardware | Other Information |
---|---|---|---|---|---|---|---|---|---|---|
o | linux | linux_kernel | / | / | / | / | / | / | / | / |
o | linux | linux_kernel | / | / | / | / | / | / | / | / |
o | linux | linux_kernel | / | / | / | / | / | / | / | / |
o | linux | linux_kernel | / | / | / | / | / | / | / | / |
o | linux | linux_kernel | / | / | / | / | / | / | / | / |
o | linux | linux_kernel | / | / | / | / | / | / | / | / |
o | linux | linux_kernel | / | / | / | / | / | / | / | / |