We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2022-49872

net: gso: fix panic on frag_list with mixed head alloc types



Description

In the Linux kernel, the following vulnerability has been resolved: net: gso: fix panic on frag_list with mixed head alloc types Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list"), it is allowed to change gso_size of a GRO packet. However, that commit assumes that "checking the first list_skb member suffices; i.e if either of the list_skb members have non head_frag head, then the first one has too". It turns out this assumption does not hold. We've seen BUG_ON being hit in skb_segment when skbs on the frag_list had differing head_frag with the vmxnet3 driver. This happens because __netdev_alloc_skb and __napi_alloc_skb can return a skb that is page backed or kmalloced depending on the requested size. As the result, the last small skb in the GRO packet can be kmalloced. There are three different locations where this can be fixed: (1) We could check head_frag in GRO and not allow GROing skbs with different head_frag. However, that would lead to performance regression on normal forward paths with unmodified gso_size, where !head_frag in the last packet is not a problem. (2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating that NETIF_F_SG is undesirable. That would need to eat a bit in sk_buff. Furthermore, that flag can be unset when all skbs on the frag_list are page backed. To retain good performance, bpf_skb_net_grow/shrink would have to walk the frag_list. (3) Walk the frag_list in skb_segment when determining whether NETIF_F_SG should be cleared. This of course slows things down. This patch implements (3). To limit the performance impact in skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set that have gso_size changed. Normal paths thus will not hit it. We could check only the last skb but since we need to walk the whole list anyway, let's stay on the safe side.

Reserved 2025-05-01 | Published 2025-05-01 | Updated 2025-05-04 | Assigner Linux

Product status

Default status
unaffected

162a5a8c3aff15c449e6b38355cdf80ab4f77a5a before 5876b7f249a1ecbbcc8e35072c3828d6526d1c3a
affected

55fb612bef7fd237fb70068e2b6ff1cd1543a8ef before 0a9f56e525ea871d3950b90076912f5c7494f00f
affected

821302dd0c51d29269ef73a595bdff294419e2cd before bd5362e58721e4d0d1a37796593bd6e51536ce7a
affected

3dcbdb134f329842a38f0e6797191b885ab00a00 before 65ad047fd83502447269fda8fd26c99077a9af47
affected

3dcbdb134f329842a38f0e6797191b885ab00a00 before 50868de7dc4e7f0fcadd6029f32bf4387c102ee6
affected

3dcbdb134f329842a38f0e6797191b885ab00a00 before ad25a115f50800c6847e0d841c5c7992a9f7c1b3
affected

3dcbdb134f329842a38f0e6797191b885ab00a00 before 598d9e30927b15731e83797fbd700ecf399f42dd
affected

3dcbdb134f329842a38f0e6797191b885ab00a00 before 9e4b7a99a03aefd37ba7bb1f022c8efab5019165
affected

92984818ff8cfd97311a5e0ac27f148a00df2b54
affected

Default status
affected

5.3
affected

Any version before 5.3
unaffected

4.9.334
unaffected

4.14.300
unaffected

4.19.267
unaffected

5.4.225
unaffected

5.10.155
unaffected

5.15.79
unaffected

6.0.9
unaffected

6.1
unaffected

References

git.kernel.org/...c/5876b7f249a1ecbbcc8e35072c3828d6526d1c3a

git.kernel.org/...c/0a9f56e525ea871d3950b90076912f5c7494f00f

git.kernel.org/...c/bd5362e58721e4d0d1a37796593bd6e51536ce7a

git.kernel.org/...c/65ad047fd83502447269fda8fd26c99077a9af47

git.kernel.org/...c/50868de7dc4e7f0fcadd6029f32bf4387c102ee6

git.kernel.org/...c/ad25a115f50800c6847e0d841c5c7992a9f7c1b3

git.kernel.org/...c/598d9e30927b15731e83797fbd700ecf399f42dd

git.kernel.org/...c/9e4b7a99a03aefd37ba7bb1f022c8efab5019165

cve.org (CVE-2022-49872)

nvd.nist.gov (CVE-2022-49872)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2022-49872

Support options

Helpdesk Chat, Email, Knowledgebase