Linux Kernel Generic Segmentation Offload Vulnerability with IPv6 Extension Headers

A vulnerability in the Linux kernel's handling of Generic Segmentation Offload (GSO) for IPv6 packets with extension headers has been identified. The kernel improperly requests checksum offload on devices that only support basic IPv6 checksum for standard TCP or UDP packets, excluding those with extension headers. This flaw can disrupt network throughput by causing the device to attempt unsupported operations, generating warnings about bad offload management. Although the kernel correctly defaults to software-based GSO for these packets, it fails to explicitly disable the erroneous checksum offload request. The issue particularly affects packets in GRE over IPv6 tunnels, where extension headers are commonly used.

Impact

Exploitation of this vulnerability leads to a warning about bad offload management and a significant reduction in network throughput.

Reproduction

To reproduce this vulnerability, send an IPv6 packet with extension headers over a network interface that only advertises support for basic IPv6 checksum offload. This can be done using a tool like 'tcpdump' to capture the packet headers and verify the presence of extensions. The packet should be transmitted over a GRE over IPv6 tunnel to trigger the vulnerability, as the tunnel encapsulation adds the necessary extension headers. Monitor the kernel log for warnings about bad offload, which indicate that the vulnerability has been successfully reproduced.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.