[FIPS 9.2] gro / gso CVEs #597

PlaidCat · 2025-09-26T21:10:54Z

Commits

    net: fix udp gso skb_segment after pull from frag_list

    jira VULN-71810
    cve CVE-2025-38124
    commit-author Shiming Cheng <shiming.cheng@mediatek.com>
    commit 3382a1ed7f778db841063f5d7e317ac55f9e7f72

    gso: fix udp gso fraglist segmentation after pull from frag_list

    jira VULN-45771
    cve CVE-2024-49978
    commit-author Willem de Bruijn <willemb@google.com>
    commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab

    bpf: Fix a segment issue when downgrading gso_size

    jira VULN-38755
    cve CVE-2024-42281
    commit-author Fred Li <dracodingfly@gmail.com>
    commit fa5ef655615a01533035c6139248c5b33aa27028

Build

[jmaple@devbox code]$ egrep -B 5 -A 5 "\[TIMER\]|^Starting Build" $(ls -t kbuild* | head -n1)
/mnt/code/kernel-src-tree-build
Running make mrproper...
[TIMER]{MRPROPER}: 5s
x86_64 architecture detected, copying config
'configs/kernel-x86_64-rhel.config' -> '.config'
Setting Local Version for build
CONFIG_LOCALVERSION="-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082"
Making olddefconfig
--
  HOSTCC  scripts/kconfig/util.o
  HOSTLD  scripts/kconfig/conf
#
# configuration written to .config
#
Starting Build
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_64.h
  SYSTBL  arch/x86/include/generated/asm/syscalls_32.h
  SYSHDR  arch/x86/include/generated/uapi/asm/unistd_x32.h
  SYSHDR  arch/x86/include/generated/asm/unistd_32_ia32.h
--
  BTF [M] sound/virtio/virtio_snd.ko
  BTF [M] sound/x86/snd-hdmi-lpe-audio.ko
  LD [M]  virt/lib/irqbypass.ko
  BTF [M] sound/xen/snd_xen_front.ko
  BTF [M] virt/lib/irqbypass.ko
[TIMER]{BUILD}: 1331s
Making Modules
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/blake2s-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/blowfish-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/camellia-aesni-avx-x86_64.ko
  INSTALL /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/arch/x86/crypto/camellia-aesni-avx2.ko
--
  STRIP   /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/virt/lib/irqbypass.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/sound/xen/snd_xen_front.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/sound/usb/snd-usb-audio.ko
  SIGN    /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+/kernel/virt/lib/irqbypass.ko
  DEPMOD  /lib/modules/5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+
[TIMER]{MODULES}: 6s
Making Install
sh ./arch/x86/boot/install.sh \
        5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+ arch/x86/boot/bzImage \
        System.map "/boot"
[TIMER]{INSTALL}: 24s
Checking kABI
kABI check passed
Setting Default Kernel to /boot/vmlinuz-5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+ and Index to 2
Hopefully Grub2.0 took everything ... rebooting after time metrices
[TIMER]{MRPROPER}: 5s
[TIMER]{BUILD}: 1331s
[TIMER]{MODULES}: 6s
[TIMER]{INSTALL}: 24s
[TIMER]{TOTAL} 1370s
Rebooting in 10 seconds

KselfTest

[jmaple@devbox code]$ ./get_kselftest_diff.sh
kselftest.5.14.0-284.30.1.el9_2.ciqfips.0.14.1.x86_64.log
314
kselftest.5.14.0-_jmaple__fips-9-compliant_5.14.0-284.30.1-f298ec762bf8+.log
313
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
314
kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
327
Before: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-4db430364722+.log
After: kselftest.5.14.0-jmaple_fips-9-compliant_5.14.0-284.30.1-5acbf59af082+.log
Diff:
+ok 11 selftests: proc: proc-uptime-001
+ok 12 selftests: x86: fsgsbase_restore_64
+ok 13 selftests: x86: sigaltstack_64
+ok 14 selftests: x86: fsgsbase_64
+ok 15 selftests: x86: sysret_rip_64
+ok 16 selftests: x86: syscall_numbering_64
+ok 17 selftests: x86: corrupt_xstate_header_64
+ok 2 selftests: x86: sysret_ss_attrs_64
+ok 3 selftests: x86: syscall_nt_64
+ok 4 selftests: x86: test_mremap_vdso_64
+ok 5 selftests: x86: check_initial_reg_state_64
-ok 6 selftests: net: tls
+ok 7 selftests: x86: iopl_64
+ok 8 selftests: x86: ioperm_64
+ok 9 selftests: x86: test_vsyscall_64

jira VULN-38755 cve CVE-2024-42281 commit-author Fred Li <dracodingfly@gmail.com> commit fa5ef65 Linearize the skb when downgrading gso_size because it may trigger a BUG_ON() later when the skb is segmented as described in [1,2]. Fixes: 2be7e21 ("bpf: add bpf_skb_adjust_room helper") Signed-off-by: Fred Li <dracodingfly@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Willem de Bruijn <willemb@google.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/all/20240626065555.35460-2-dracodingfly@gmail.com [1] Link: https://lore.kernel.org/all/668d5cf1ec330_1c18c32947@willemb.c.googlers.com.notmuch [2] Link: https://lore.kernel.org/bpf/20240719024653.77006-1-dracodingfly@gmail.com (cherry picked from commit fa5ef65) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-45771 cve CVE-2024-49978 commit-author Willem de Bruijn <willemb@google.com> commit a1e40ac Detect gso fraglist skbs with corrupted geometry (see below) and pass these to skb_segment instead of skb_segment_list, as the first can segment them correctly. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify these skbs, breaking these invariants. In extreme cases they pull all data into skb linear. For UDP, this causes a NULL ptr deref in __udpv4_gso_segment_list_csum at udp_hdr(seg->next)->dest. Detect invalid geometry due to pull, by checking head_skb size. Don't just drop, as this may blackhole a destination. Convert to be able to pass to regular skb_segment. Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/ Fixes: 9fd1ff5 ("udp: Support UDP fraglist GRO/GSO.") Signed-off-by: Willem de Bruijn <willemb@google.com> Cc: stable@vger.kernel.org Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> (cherry picked from commit a1e40ac) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

jira VULN-71810 cve CVE-2025-38124 commit-author Shiming Cheng <shiming.cheng@mediatek.com> commit 3382a1e Commit a1e40ac ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770 Fixes: a1e40ac ("gso: fix udp gso fraglist segmentation after pull from frag_list") Signed-off-by: Shiming Cheng <shiming.cheng@mediatek.com> Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 3382a1e) Signed-off-by: Jonathan Maple <jmaple@ciq.com>

github-actions · 2025-09-26T21:20:38Z

🔍 Upstream Linux Kernel Commit Check

⚠️ PR commit 1c6ca07dec21 (gso: fix udp gso fraglist segmentation after pull from frag_list) references upstream commit
a1e40ac5b5e9 which has been referenced by a Fixes: tag in the upstream
Linux kernel:

    3382a1ed7f77 net: fix udp gso skb_segment after pull from frag_list (Shiming Cheng)

This is an automated message from the kernel commit checker workflow.

PlaidCat · 2025-09-26T21:22:21Z

🔍 Upstream Linux Kernel Commit Check

* ⚠️ PR commit `1c6ca07dec21 (gso: fix udp gso fraglist segmentation after pull from frag_list)` references upstream commit
  `a1e40ac5b5e9` which has been referenced by a `Fixes:` tag in the upstream
  Linux kernel:

    3382a1ed7f77 net: fix udp gso skb_segment after pull from frag_list (Shiming Cheng)

This is an automated message from the kernel commit checker workflow.

Already Included

bmastbergen

🥌

PlaidCat added 3 commits September 25, 2025 17:02

PlaidCat requested review from kerneltoast, bmastbergen, thefossguy-ciq and shreeya-patel98 September 26, 2025 21:10

PlaidCat self-assigned this Sep 26, 2025

bmastbergen approved these changes Sep 29, 2025

View reviewed changes

jason-rodri approved these changes Sep 29, 2025

View reviewed changes

PlaidCat merged commit 5acbf59 into fips-9-compliant/5.14.0-284.30.1 Sep 30, 2025
3 checks passed

PlaidCat deleted the {jmaple}_fips-9-compliant/5.14.0-284.30.1 branch September 30, 2025 19:32

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[FIPS 9.2] gro / gso CVEs #597

[FIPS 9.2] gro / gso CVEs #597

Uh oh!

PlaidCat commented Sep 26, 2025

Uh oh!

github-actions bot commented Sep 26, 2025

Uh oh!

PlaidCat commented Sep 26, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

bmastbergen left a comment

Uh oh!

Uh oh!

Uh oh!

[FIPS 9.2] gro / gso CVEs #597

[FIPS 9.2] gro / gso CVEs #597

Uh oh!

Conversation

PlaidCat commented Sep 26, 2025

Commits

Build

KselfTest

Uh oh!

github-actions bot commented Sep 26, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

PlaidCat commented Sep 26, 2025

🔍 Upstream Linux Kernel Commit Check

Uh oh!

bmastbergen left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!