Linux Kernel UDP GRO Network Offset Vulnerability

A vulnerability in the Linux kernel's UDP Generic Receive Offload (GRO) handling has been addressed. The issue arose because the GRO completion stage incorrectly assumed that all received packets had the 'encapsulation' flag cleared. This assumption was false, as some hardware network interface controllers (NICs) could set the flag when offloading UDP checksums for encapsulated traffic. Additionally, the TUN driver could inject Generic Segmentation Offload (GSO) packets with UDP encapsulation, and a similar problematic scenario could be created using a virtual Ethernet (veth) setup. In these cases, the 'udp4_gro_complete()' function used the wrong network offset, leading to checksum validation errors in subsequent packet processing. The vulnerability has been fixed by ensuring the encapsulation flag is cleared during the GRO completion process, allowing it to be correctly set for encapsulated packets as needed.

Impact

The vulnerability could cause checksum validation errors in packet processing, potentially leading to incorrect handling of UDP traffic.

Reproduction

The vulnerability can be reproduced by creating a scenario where UDP packets are encapsulated and the 'encapsulation' flag is not cleared before the GRO completion stage. This can be done using certain hardware NICs that offload UDP checksums, or by injecting GSO packets with UDP encapsulation using the TUN driver. Alternatively, a veth-based setup can also create the problematic packet layout.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.