Linux Kernel UDP Fragmentation Offload Vulnerability in Virtio Network

A vulnerability has been identified in the Linux kernel's handling of UDP packets with fragmentation offload (UFO) when using virtio network headers. This issue occurs in versions through 6.16.0-rc7. When a packet is sent to a TUN device with UFO enabled, and the generic segmentation offload (GSO) size is smaller than the UDP header size, it can lead to a kernel crash. The crash is caused by the UDP receive function mismanaging the packet segmentation, which was unintended for UFO packets. The vulnerability can be reproduced by sending UDP packets with specific GSO settings that trigger the faulty segmentation handling.

Impact

Exploitation of this vulnerability causes a kernel crash due to an invalid opcode error, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, send a UDP packet with a virtio network header to a TUN device. Ensure that the GSO type in the header is set to indicate UDP segmentation, and that the GSO size is less than the UDP header size. This combination will trigger the vulnerability by causing the kernel to mishandle the packet, leading to a crash.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for updating the kernel can be found in the documentation for the specific Linux distribution in use.