Linux Kernel NSH GSO Segment Vulnerability Causes SKB Panic

A vulnerability in the Linux kernel's Network Service Header (NSH) Generic Segmentation Offload (GSO) handling has been fixed. The issue arose because the 'nsh_gso_segment' function used an incorrect 'mac_header' offset, leading to a panic when the segment was processed. This error occurred in versions of the Linux kernel prior to 6.3.0.

Impact

The vulnerability could cause a kernel panic due to an invalid 'mac_header' offset, disrupting network packet processing and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by using the 'nsh_gso_segment' function with a skewed 'mac_header' value, which can be set by an inner-layer protocol GSO function, such as 'mpls_gso_segment'. This misalignment causes the 'mac_header' to exceed the SKB headroom, triggering a panic when the SKB push function is called.

Remediation

Users can upgrade to Linux kernel version 6.3.0 or later, where this vulnerability has been addressed.