Linux Kernel TCP skb_copy_ubufs Memory Leak Vulnerability with Hugepages

A vulnerability in the Linux kernel's TCP implementation was introduced by changes allowing TCP segmentation offload (TSO) to handle larger packet sizes, up to 512 KB per segment. This change, combined with the use of hugepages, caused crashes in the skb_copy_ubufs() function, which is responsible for copying data from socket buffers. The function failed to handle the increased skb length properly, leading to a memory leak. The issue was not encountered by Google, as their configuration limited the maximum segment size and the number of fragments per skb.

Impact

The vulnerability could lead to a memory leak, causing increased memory usage and potential exhaustion of system resources.

Reproduction

The vulnerability can be reproduced by enabling TCP segmentation offload and using hugepages, with an skb length exceeding approximately 68 KB. This can be done by configuring the Linux kernel to allow larger packet sizes and allocating memory using hugepages.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.