gso:如果出现 ipip 和 net_failover 则不要跳过外部 ip 标头(CVE-2022-48936)

admin
admin
admin
0
文章
0
评论
2024-08-22 23:48:10 Ali_nvd 来源:ZONE.CI 全球网 0 阅读模式
gso:如果出现 ipip 和 net_failover 则不要跳过外部 ip 标头(CVE-2022-48936)

CVE编号

CVE-2022-48936

利用情况

暂无

补丁情况

N/A

披露时间

2024-08-22
漏洞描述
In the Linux kernel, the following vulnerability has been resolved: gso: do not skip outer ip header in case of ipip and net_failover We encounter a tcp drop issue in our cloud environment. Packet GROed in host forwards to a VM virtio_net nic with net_failover enabled. VM acts as a IPVS LB with ipip encapsulation. The full path like: host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat -> ipip encap -> net_failover tx -> virtio_net tx When net_failover transmits a ipip pkt (gso_type = 0x0103, which means SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso did because it supports TSO and GSO_IPXIP4. But network_header points to inner ip header. Call Trace: tcp4_gso_segment------> return NULL inet_gso_segment------> inner iph, network_header points to ipip_gso_segment inet_gso_segment------> outer iph skb_mac_gso_segment Afterwards virtio_net transmits the pkt, only inner ip header is modified. And the outer one just keeps unchanged. The pkt will be dropped in remote host. Call Trace: inet_gso_segment------> inner iph, outer iph is skipped skb_mac_gso_segment __skb_gso_segment validate_xmit_skb validate_xmit_skb_list sch_direct_xmit __qdisc_run __dev_queue_xmit------> virtio_net dev_hard_start_xmit __dev_queue_xmit------> net_failover ip_finish_output2 ip_output iptunnel_xmit ip_tunnel_xmit ipip_tunnel_xmit------> ipip dev_hard_start_xmit __dev_queue_xmit ip_finish_output2 ip_output ip_forward ip_rcv __netif_receive_skb_one_core netif_receive_skb_internal napi_gro_receive receive_buf virtnet_poll net_rx_action The root cause of this issue is specific with the rare combination of SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option. SKB_GSO_DODGY is set from external virtio_net. We need to reset network header when callbacks.gso_segment() returns NULL. This patch also includes ipv6_gso_segment(), considering SIT, etc.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://git.kernel.org/stable/c/2b3cdd70ea5f5a694f95ea1788393fb3b83071ea
https://git.kernel.org/stable/c/45d006c2c7ed7baf1fa258fa7b5bc9923d3a983e
https://git.kernel.org/stable/c/7840e559799a08a8588ee6de27516a991cb2e5e7
https://git.kernel.org/stable/c/899e56a1ad435261812355550ae869d8be3df395
https://git.kernel.org/stable/c/a739963f43269297c3f438b776194542e2a97499
https://git.kernel.org/stable/c/cc20cced0598d9a5ff91ae4ab147b3b5e99ee819
https://git.kernel.org/stable/c/dac2490d9ee0b89dffc72f1172b8bbeb60eaec39
https://git.kernel.org/stable/c/e9ffbe63f6f32f526a461756309b61c395168d73
CVSS3评分 N/A
  • 攻击路径 N/A
  • 攻击复杂度 N/A
  • 权限要求 N/A
  • 影响范围 N/A
  • 用户交互 N/A
  • 可用性 N/A
  • 保密性 N/A
  • 完整性 N/A
N/A
CWE-ID 漏洞类型
- avd.aliyun.com
weinxin
版权声明
本站原创文章转载请注明文章出处及链接,谢谢合作!
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网 | 安全领域涉猎者-乌云独行地带
安全领域涉猎者-乌云独行地带
ZONE.CI 全球网
评论:0   参与:  0