CVE-2022-49872 (GCVE-0-2022-49872)
Vulnerability from cvelistv5 – Published: 2025-05-01 14:10 – Updated: 2025-05-04 12:45
VLAI?
Title
net: gso: fix panic on frag_list with mixed head alloc types
Summary
In the Linux kernel, the following vulnerability has been resolved:
net: gso: fix panic on frag_list with mixed head alloc types
Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when
splitting gso_size mangled skb having linear-headed frag_list"), it is
allowed to change gso_size of a GRO packet. However, that commit assumes
that "checking the first list_skb member suffices; i.e if either of the
list_skb members have non head_frag head, then the first one has too".
It turns out this assumption does not hold. We've seen BUG_ON being hit
in skb_segment when skbs on the frag_list had differing head_frag with
the vmxnet3 driver. This happens because __netdev_alloc_skb and
__napi_alloc_skb can return a skb that is page backed or kmalloced
depending on the requested size. As the result, the last small skb in
the GRO packet can be kmalloced.
There are three different locations where this can be fixed:
(1) We could check head_frag in GRO and not allow GROing skbs with
different head_frag. However, that would lead to performance
regression on normal forward paths with unmodified gso_size, where
!head_frag in the last packet is not a problem.
(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating
that NETIF_F_SG is undesirable. That would need to eat a bit in
sk_buff. Furthermore, that flag can be unset when all skbs on the
frag_list are page backed. To retain good performance,
bpf_skb_net_grow/shrink would have to walk the frag_list.
(3) Walk the frag_list in skb_segment when determining whether
NETIF_F_SG should be cleared. This of course slows things down.
This patch implements (3). To limit the performance impact in
skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set
that have gso_size changed. Normal paths thus will not hit it.
We could check only the last skb but since we need to walk the whole
list anyway, let's stay on the safe side.
Severity ?
No CVSS data available.
Assigner
References
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Linux | Linux |
Affected:
162a5a8c3aff15c449e6b38355cdf80ab4f77a5a , < 5876b7f249a1ecbbcc8e35072c3828d6526d1c3a
(git)
Affected: 55fb612bef7fd237fb70068e2b6ff1cd1543a8ef , < 0a9f56e525ea871d3950b90076912f5c7494f00f (git) Affected: 821302dd0c51d29269ef73a595bdff294419e2cd , < bd5362e58721e4d0d1a37796593bd6e51536ce7a (git) Affected: 3dcbdb134f329842a38f0e6797191b885ab00a00 , < 65ad047fd83502447269fda8fd26c99077a9af47 (git) Affected: 3dcbdb134f329842a38f0e6797191b885ab00a00 , < 50868de7dc4e7f0fcadd6029f32bf4387c102ee6 (git) Affected: 3dcbdb134f329842a38f0e6797191b885ab00a00 , < ad25a115f50800c6847e0d841c5c7992a9f7c1b3 (git) Affected: 3dcbdb134f329842a38f0e6797191b885ab00a00 , < 598d9e30927b15731e83797fbd700ecf399f42dd (git) Affected: 3dcbdb134f329842a38f0e6797191b885ab00a00 , < 9e4b7a99a03aefd37ba7bb1f022c8efab5019165 (git) Affected: 92984818ff8cfd97311a5e0ac27f148a00df2b54 (git) |
|||||||
|
|||||||||
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"lessThan": "5876b7f249a1ecbbcc8e35072c3828d6526d1c3a",
"status": "affected",
"version": "162a5a8c3aff15c449e6b38355cdf80ab4f77a5a",
"versionType": "git"
},
{
"lessThan": "0a9f56e525ea871d3950b90076912f5c7494f00f",
"status": "affected",
"version": "55fb612bef7fd237fb70068e2b6ff1cd1543a8ef",
"versionType": "git"
},
{
"lessThan": "bd5362e58721e4d0d1a37796593bd6e51536ce7a",
"status": "affected",
"version": "821302dd0c51d29269ef73a595bdff294419e2cd",
"versionType": "git"
},
{
"lessThan": "65ad047fd83502447269fda8fd26c99077a9af47",
"status": "affected",
"version": "3dcbdb134f329842a38f0e6797191b885ab00a00",
"versionType": "git"
},
{
"lessThan": "50868de7dc4e7f0fcadd6029f32bf4387c102ee6",
"status": "affected",
"version": "3dcbdb134f329842a38f0e6797191b885ab00a00",
"versionType": "git"
},
{
"lessThan": "ad25a115f50800c6847e0d841c5c7992a9f7c1b3",
"status": "affected",
"version": "3dcbdb134f329842a38f0e6797191b885ab00a00",
"versionType": "git"
},
{
"lessThan": "598d9e30927b15731e83797fbd700ecf399f42dd",
"status": "affected",
"version": "3dcbdb134f329842a38f0e6797191b885ab00a00",
"versionType": "git"
},
{
"lessThan": "9e4b7a99a03aefd37ba7bb1f022c8efab5019165",
"status": "affected",
"version": "3dcbdb134f329842a38f0e6797191b885ab00a00",
"versionType": "git"
},
{
"status": "affected",
"version": "92984818ff8cfd97311a5e0ac27f148a00df2b54",
"versionType": "git"
}
]
},
{
"defaultStatus": "affected",
"product": "Linux",
"programFiles": [
"net/core/skbuff.c"
],
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"vendor": "Linux",
"versions": [
{
"status": "affected",
"version": "5.3"
},
{
"lessThan": "5.3",
"status": "unaffected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.9.*",
"status": "unaffected",
"version": "4.9.334",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.14.*",
"status": "unaffected",
"version": "4.14.300",
"versionType": "semver"
},
{
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"version": "4.19.267",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"version": "5.4.225",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"version": "5.10.155",
"versionType": "semver"
},
{
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"version": "5.15.79",
"versionType": "semver"
},
{
"lessThanOrEqual": "6.0.*",
"status": "unaffected",
"version": "6.0.9",
"versionType": "semver"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "6.1",
"versionType": "original_commit_for_fix"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.9.334",
"versionStartIncluding": "4.9.194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.14.300",
"versionStartIncluding": "4.14.145",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "4.19.267",
"versionStartIncluding": "4.19.74",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.4.225",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.10.155",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "5.15.79",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.0.9",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionEndExcluding": "6.1",
"versionStartIncluding": "5.3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
"versionStartIncluding": "5.2.16",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix panic on frag_list with mixed head alloc types\n\nSince commit 3dcbdb134f32 (\"net: gso: Fix skb_segment splat when\nsplitting gso_size mangled skb having linear-headed frag_list\"), it is\nallowed to change gso_size of a GRO packet. However, that commit assumes\nthat \"checking the first list_skb member suffices; i.e if either of the\nlist_skb members have non head_frag head, then the first one has too\".\n\nIt turns out this assumption does not hold. We\u0027ve seen BUG_ON being hit\nin skb_segment when skbs on the frag_list had differing head_frag with\nthe vmxnet3 driver. This happens because __netdev_alloc_skb and\n__napi_alloc_skb can return a skb that is page backed or kmalloced\ndepending on the requested size. As the result, the last small skb in\nthe GRO packet can be kmalloced.\n\nThere are three different locations where this can be fixed:\n\n(1) We could check head_frag in GRO and not allow GROing skbs with\n different head_frag. However, that would lead to performance\n regression on normal forward paths with unmodified gso_size, where\n !head_frag in the last packet is not a problem.\n\n(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating\n that NETIF_F_SG is undesirable. That would need to eat a bit in\n sk_buff. Furthermore, that flag can be unset when all skbs on the\n frag_list are page backed. To retain good performance,\n bpf_skb_net_grow/shrink would have to walk the frag_list.\n\n(3) Walk the frag_list in skb_segment when determining whether\n NETIF_F_SG should be cleared. This of course slows things down.\n\nThis patch implements (3). To limit the performance impact in\nskb_segment, the list is walked only for skbs with SKB_GSO_DODGY set\nthat have gso_size changed. Normal paths thus will not hit it.\n\nWe could check only the last skb but since we need to walk the whole\nlist anyway, let\u0027s stay on the safe side."
}
],
"providerMetadata": {
"dateUpdated": "2025-05-04T12:45:19.624Z",
"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"shortName": "Linux"
},
"references": [
{
"url": "https://git.kernel.org/stable/c/5876b7f249a1ecbbcc8e35072c3828d6526d1c3a"
},
{
"url": "https://git.kernel.org/stable/c/0a9f56e525ea871d3950b90076912f5c7494f00f"
},
{
"url": "https://git.kernel.org/stable/c/bd5362e58721e4d0d1a37796593bd6e51536ce7a"
},
{
"url": "https://git.kernel.org/stable/c/65ad047fd83502447269fda8fd26c99077a9af47"
},
{
"url": "https://git.kernel.org/stable/c/50868de7dc4e7f0fcadd6029f32bf4387c102ee6"
},
{
"url": "https://git.kernel.org/stable/c/ad25a115f50800c6847e0d841c5c7992a9f7c1b3"
},
{
"url": "https://git.kernel.org/stable/c/598d9e30927b15731e83797fbd700ecf399f42dd"
},
{
"url": "https://git.kernel.org/stable/c/9e4b7a99a03aefd37ba7bb1f022c8efab5019165"
}
],
"title": "net: gso: fix panic on frag_list with mixed head alloc types",
"x_generator": {
"engine": "bippy-1.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
"assignerShortName": "Linux",
"cveId": "CVE-2022-49872",
"datePublished": "2025-05-01T14:10:22.402Z",
"dateReserved": "2025-05-01T14:05:17.238Z",
"dateUpdated": "2025-05-04T12:45:19.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…