Linux Kernel GSO Size Validation Vulnerability in virtio_net Header Processing

A vulnerability in the Linux kernel's handling of Generic Segmentation Offload (GSO) sizes has been addressed. The issue arose from a missing validation check in the 'virtio_net_hdr_to_skb()' function, which allowed the GSO size to be set to a special value, 'GSO_BY_FRAGS' (0xffff). This value is reserved for kernel use, and its improper application led to a crash. The problem was reported by syzbot, a kernel fuzzer, which identified a general protection fault caused by dereferencing a null pointer. This vulnerability affects Linux kernel versions 6.5.0-rc5 and earlier.

Impact

Exploitation of this vulnerability causes a kernel crash due to a general protection fault, likely related to a non-canonical memory address.

Reproduction

The vulnerability can be reproduced by sending a packet with the GSO size set to 'GSO_BY_FRAGS' (0xffff) through a network interface that uses the virtio_net driver. This can be done using a tool that manipulates packet headers, such as 'scapy' or 'nping', and sends the crafted packets over UDP or TCP. The kernel will crash, indicating that the vulnerability has been successfully exploited.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been fixed. Instructions for upgrading the kernel can be found in the official Linux kernel documentation.