Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: drop UFO packets in udp_rcv_segment()[EOL][EOL]When sending a packet with virtio_net_hdr to tun device, if the gso_type[EOL]in virtio_net_hdr is SKB_GSO_UDP and the gso_size is less than udphdr[EOL]size, below crash may happen.[EOL][EOL]  ------------[ cut here ]------------[EOL]  kernel BUG at net/core/skbuff.c:4572![EOL]  Oops: invalid opcode: 0000 [#1] SMP NOPTI[EOL]  CPU: 0 UID: 0 PID: 62 Comm: mytest Not tainted 6.16.0-rc7 #203 PREEMPT(voluntary)[EOL]  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014[EOL]  RIP: 0010:skb_pull_rcsum+0x8e/0xa0[EOL]  Code: 00 00 5b c3 cc cc cc cc 8b 93 88 00 00 00 f7 da e8 37 44 38 00 f7 d8 89 83 88 00 00 00 48 8b 83 c8 00 00 00 5b c3 cc cc cc cc <0f> 0b 0f 0b 66 66 2e 0f 1f 84 00 000[EOL]  RSP: 0018:ffffc900001fba38 EFLAGS: 00000297[EOL]  RAX: 0000000000000004 RBX: ffff8880040c1000 RCX: ffffc900001fb948[EOL]  RDX: ffff888003e6d700 RSI: 0000000000000008 RDI: ffff88800411a062[EOL]  RBP: ffff8880040c1000 R08: 0000000000000000 R09: 0000000000000001[EOL]  R10: ffff888003606c00 R11: 0000000000000001 R12: 0000000000000000[EOL]  R13: ffff888004060900 R14: ffff888004050000 R15: ffff888004060900[EOL]  FS:  000000002406d3c0(0000) GS:ffff888084a19000(0000) knlGS:0000000000000000[EOL]  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033[EOL]  CR2: 0000000020000040 CR3: 0000000004007000 CR4: 00000000000006f0[EOL]  Call Trace:[EOL]   <TASK>[EOL]   udp_queue_rcv_one_skb+0x176/0x4b0 net/ipv4/udp.c:2445[EOL]   udp_queue_rcv_skb+0x155/0x1f0 net/ipv4/udp.c:2475[EOL]   udp_unicast_rcv_skb+0x71/0x90 net/ipv4/udp.c:2626[EOL]   __udp4_lib_rcv+0x433/0xb00 net/ipv4/udp.c:2690[EOL]   ip_protocol_deliver_rcu+0xa6/0x160 net/ipv4/ip_input.c:205[EOL]   ip_local_deliver_finish+0x72/0x90 net/ipv4/ip_input.c:233[EOL]   ip_sublist_rcv_finish+0x5f/0x70 net/ipv4/ip_input.c:579[EOL]   ip_sublist_rcv+0x122/0x1b0 net/ipv4/ip_input.c:636[EOL]   ip_list_rcv+0xf7/0x130 net/ipv4/ip_input.c:670[EOL]   __netif_receive_skb_list_core+0x21d/0x240 net/core/dev.c:6067[EOL]   netif_receive_skb_list_internal+0x186/0x2b0 net/core/dev.c:6210[EOL]   napi_complete_done+0x78/0x180 net/core/dev.c:6580[EOL]   tun_get_user+0xa63/0x1120 drivers/net/tun.c:1909[EOL]   tun_chr_write_iter+0x65/0xb0 drivers/net/tun.c:1984[EOL]   vfs_write+0x300/0x420 fs/read_write.c:593[EOL]   ksys_write+0x60/0xd0 fs/read_write.c:686[EOL]   do_syscall_64+0x50/0x1c0 arch/x86/entry/syscall_64.c:63[EOL]   </TASK>[EOL][EOL]To trigger gso segment in udp_queue_rcv_skb(), we should also set option[EOL]UDP_ENCAP_ESPINUDP to enable udp_sk(sk)->encap_rcv. When the encap_rcv[EOL]hook return 1 in udp_queue_rcv_one_skb(), udp_csum_pull_header() will try[EOL]to pull udphdr, but the skb size has been segmented to gso size, which[EOL]leads to this crash.[EOL][EOL]Previous commit cf329aa42b66 ("udp: cope with UDP GRO packet misdirection")[EOL]introduces segmentation in UDP receive path only for GRO, which was never[EOL]intended to be used for UFO, so drop UFO packets in udp_rcv_segment().

CREATE(Triage):(User=pbi-cn) [CVE-2025-38622 (https://nvd.nist.gov/vuln/detail/CVE-2025-38622)