cve/published/2021/CVE-2021-47036.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47036: udp: skip L4 aggregation for UDP tunnel packets

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 udp: skip L4 aggregation for UDP tunnel packets

 If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there
 are UDP tunnels available in the system, udp_gro_receive() could end-up
 doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at
 the outer UDP tunnel level for packets effectively carrying and UDP
 tunnel header.

 That could cause inner protocol corruption. If e.g. the relevant
 packets carry a vxlan header, different vxlan ids will be ignored/
 aggregated to the same GSO packet. Inner headers will be ignored, too,
 so that e.g. TCP over vxlan push packets will be held in the GRO
 engine till the next flush, etc.

 Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the
 current packet could land in a UDP tunnel, and let udp_gro_receive()
 do GRO via udp_sk(sk)->gro_receive.

 The check implemented in this patch is broader than what is strictly
 needed, as the existing UDP tunnel could be e.g. configured on top of
 a different device: we could end-up skipping GRO at-all for some packets.

 Anyhow, that is a very thin corner case and covering it will add quite
 a bit of complexity.

 v1 -> v2:
  - hopefully clarify the commit message

 The Linux kernel CVE team has assigned CVE-2021-47036 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 5.12.4 with commit 450687386cd16d081b58cd7a342acff370a96078
 	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 5.13 with commit 18f25dc399901426dff61e676ba603ff52c666f7

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47036
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv4/udp_offload.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/450687386cd16d081b58cd7a342acff370a96078
 	https://git.kernel.org/stable/c/18f25dc399901426dff61e676ba603ff52c666f7
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47036: udp: skip L4 aggregation for UDP tunnel packets

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	udp: skip L4 aggregation for UDP tunnel packets

	If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there
	are UDP tunnels available in the system, udp_gro_receive() could end-up
	doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at
	the outer UDP tunnel level for packets effectively carrying and UDP
	tunnel header.

	That could cause inner protocol corruption. If e.g. the relevant
	packets carry a vxlan header, different vxlan ids will be ignored/
	aggregated to the same GSO packet. Inner headers will be ignored, too,
	so that e.g. TCP over vxlan push packets will be held in the GRO
	engine till the next flush, etc.

	Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the
	current packet could land in a UDP tunnel, and let udp_gro_receive()
	do GRO via udp_sk(sk)->gro_receive.

	The check implemented in this patch is broader than what is strictly
	needed, as the existing UDP tunnel could be e.g. configured on top of
	a different device: we could end-up skipping GRO at-all for some packets.

	Anyhow, that is a very thin corner case and covering it will add quite
	a bit of complexity.

	v1 -> v2:
	- hopefully clarify the commit message

	The Linux kernel CVE team has assigned CVE-2021-47036 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 5.12.4 with commit 450687386cd16d081b58cd7a342acff370a96078
	Issue introduced in 5.6 with commit 9fd1ff5d2ac7181844735806b0a703c942365291 and fixed in 5.13 with commit 18f25dc399901426dff61e676ba603ff52c666f7

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47036
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv4/udp_offload.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/450687386cd16d081b58cd7a342acff370a96078
	https://git.kernel.org/stable/c/18f25dc399901426dff61e676ba603ff52c666f7