{ "containers": { "cna": { "providerMetadata": { "orgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038" }, "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngso: do not skip outer ip header in case of ipip and net_failover\n\nWe encounter a tcp drop issue in our cloud environment. Packet GROed in\nhost forwards to a VM virtio_net nic with net_failover enabled. VM acts\nas a IPVS LB with ipip encapsulation. The full path like:\nhost gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat\n -> ipip encap -> net_failover tx -> virtio_net tx\n\nWhen net_failover transmits a ipip pkt (gso_type = 0x0103, which means\nSKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso\ndid because it supports TSO and GSO_IPXIP4. But network_header points to\ninner ip header.\n\nCall Trace:\n tcp4_gso_segment ------> return NULL\n inet_gso_segment ------> inner iph, network_header points to\n ipip_gso_segment\n inet_gso_segment ------> outer iph\n skb_mac_gso_segment\n\nAfterwards virtio_net transmits the pkt, only inner ip header is modified.\nAnd the outer one just keeps unchanged. The pkt will be dropped in remote\nhost.\n\nCall Trace:\n inet_gso_segment ------> inner iph, outer iph is skipped\n skb_mac_gso_segment\n __skb_gso_segment\n validate_xmit_skb\n validate_xmit_skb_list\n sch_direct_xmit\n __qdisc_run\n __dev_queue_xmit ------> virtio_net\n dev_hard_start_xmit\n __dev_queue_xmit ------> net_failover\n ip_finish_output2\n ip_output\n iptunnel_xmit\n ip_tunnel_xmit\n ipip_tunnel_xmit ------> ipip\n dev_hard_start_xmit\n __dev_queue_xmit\n ip_finish_output2\n ip_output\n ip_forward\n ip_rcv\n __netif_receive_skb_one_core\n netif_receive_skb_internal\n napi_gro_receive\n receive_buf\n virtnet_poll\n net_rx_action\n\nThe root cause of this issue is specific with the rare combination of\nSKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option.\nSKB_GSO_DODGY is set from external virtio_net. We need to reset network\nheader when callbacks.gso_segment() returns NULL.\n\nThis patch also includes ipv6_gso_segment(), considering SIT, etc." } ], "affected": [ { "product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/ipv4/af_inet.c", "net/ipv6/ip6_offload.c" ], "versions": [ { "version": "cb32f511a70b", "lessThan": "45d006c2c7ed", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "7840e559799a", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "e9ffbe63f6f3", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "2b3cdd70ea5f", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "dac2490d9ee0", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "899e56a1ad43", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "a739963f4326", "status": "affected", "versionType": "git" }, { "version": "cb32f511a70b", "lessThan": "cc20cced0598", "status": "affected", "versionType": "git" } ] }, { "product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": [ "net/ipv4/af_inet.c", "net/ipv6/ip6_offload.c" ], "versions": [ { "version": "3.13", "status": "affected" }, { "version": "0", "lessThan": "3.13", "status": "unaffected", "versionType": "custom" }, { "version": "4.9.304", "lessThanOrEqual": "4.9.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.14.269", "lessThanOrEqual": "4.14.*", "status": "unaffected", "versionType": "custom" }, { "version": "4.19.232", "lessThanOrEqual": "4.19.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.4.182", "lessThanOrEqual": "5.4.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.10.103", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.15.26", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.16.12", "lessThanOrEqual": "5.16.*", "status": "unaffected", "versionType": "custom" }, { "version": "5.17", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix" } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e" }, { "url": "https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7" }, { "url": "https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73" }, { "url": "https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea" }, { "url": "https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39" }, { "url": "https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395" }, { "url": "https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499" }, { "url": "https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819" } ], "title": "gso: do not skip outer ip header in case of ipip and net_failover", "x_generator": { "engine": "bippy-c9c4e1df01b2" } } }, "cveMetadata": { "assignerOrgId": "f4215fc3-5b6b-47ff-a258-f7189bd81038", "cveID": "CVE-2022-48936", "requesterUserId": "gregkh@kernel.org", "serial": "1", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.0" }