Linux Kernel UDP GSO Fraglist Vulnerability Leading to Kernel Panic

A vulnerability in the Linux kernel's handling of UDP Generic Segmentation Offload (GSO) fraglist can cause a kernel panic. This issue arises when packets with modified geometry violate the expected fraglist invariants, particularly after optional datapath hooks, such as NAT and BPF, alter the fraglist SKBs. The vulnerability was introduced when only part of the fraglist payload was pulled into the head SKB, disrupting the fraglist conditions and causing exceptions during segmentation. The vulnerability affects SKBs that are supposed to consist of multiple segments but, due to improper handling, can be misaligned, leading to processing errors.

Impact

Exploitation of this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

The vulnerability can be reproduced by sending UDP packets that are fragmented in a way that modifies their geometry, such as through the use of NAT or BPF hooks. This can create fraglist SKBs that no longer meet the required invariants for proper GSO handling, particularly if the payload is partially pulled into the head SKB, leaving the fragments misaligned. When these altered SKBs are processed by the kernel, they can trigger a 'BUG' at a specific point in the skbuff handling code, causing a kernel panic.