Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net: fix udp gso skb_segment after pull from frag_list[EOL][EOL]Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after[EOL]pull from frag_list") detected invalid geometry in frag_list skbs and[EOL]redirects them from skb_segment_list to more robust skb_segment. But some[EOL]packets with modified geometry can also hit bugs in that code. We don't[EOL]know how many such cases exist. Addressing each one by one also requires[EOL]touching the complex skb_segment code, which risks introducing bugs for[EOL]other types of skbs. Instead, linearize all these packets that fail the[EOL]basic invariants on gso fraglist skbs. That is more robust.[EOL][EOL]If only part of the fraglist payload is pulled into head_skb, it will[EOL]always cause exception when splitting skbs by skb_segment. For detailed[EOL]call stack information, see below.[EOL][EOL]Valid SKB_GSO_FRAGLIST skbs[EOL]- consist of two or more segments[EOL]- the head_skb holds the protocol headers plus first gso_size[EOL]- one or more frag_list skbs hold exactly one segment[EOL]- all but the last must be gso_size[EOL][EOL]Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can[EOL]modify fraglist skbs, breaking these invariants.[EOL][EOL]In extreme cases they pull one part of data into skb linear. For UDP,[EOL]this  causes three payloads with lengths of (11,11,10) bytes were[EOL]pulled tail to become (12,10,10) bytes.[EOL][EOL]The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because[EOL]payload was pulled into head_skb, it needs to be linearized before pass[EOL]to regular skb_segment.[EOL][EOL]    skb_segment+0xcd0/0xd14[EOL]    __udp_gso_segment+0x334/0x5f4[EOL]    udp4_ufo_fragment+0x118/0x15c[EOL]    inet_gso_segment+0x164/0x338[EOL]    skb_mac_gso_segment+0xc4/0x13c[EOL]    __skb_gso_segment+0xc4/0x124[EOL]    validate_xmit_skb+0x9c/0x2c0[EOL]    validate_xmit_skb_list+0x4c/0x80[EOL]    sch_direct_xmit+0x70/0x404[EOL]    __dev_queue_xmit+0x64c/0xe5c[EOL]    neigh_resolve_output+0x178/0x1c4[EOL]    ip_finish_output2+0x37c/0x47c[EOL]    __ip_finish_output+0x194/0x240[EOL]    ip_finish_output+0x20/0xf4[EOL]    ip_output+0x100/0x1a0[EOL]    NF_HOOK+0xc4/0x16c[EOL]    ip_forward+0x314/0x32c[EOL]    ip_rcv+0x90/0x118[EOL]    __netif_receive_skb+0x74/0x124[EOL]    process_backlog+0xe8/0x1a4[EOL]    __napi_poll+0x5c/0x1f8[EOL]    net_rx_action+0x154/0x314[EOL]    handle_softirqs+0x154/0x4b8[EOL][EOL]    [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278![EOL]    [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP[EOL]    [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000[EOL]    [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000[EOL]    [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO)[EOL]    [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14[EOL]    [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14[EOL]    [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770

CREATE(Triage):(User=lchen-cn) [CVE-2025-38124 (https://nvd.nist.gov/vuln/detail/CVE-2025-38124)