Linux Kernel XFRM IP-TFS Non-Linear SKB Reassembly Panic Vulnerability

A panic vulnerability has been identified in the Linux kernel's IP-TFS (Tunnel Fragmentation Sharing) implementation within the XFRM (Transform) framework. This issue arises during the reassembly of fragmented packets when the inner packet buffer ('newskb') becomes non-linear. The vulnerability occurs because the reassembly process attempts to append data using a zero-copy method, which can lead to a memory copy being required. When this happens, the 'skb_put()' function is called to add the data, but if 'newskb' is non-linear, it triggers an assertion check, causing a panic. The issue has been fixed by adding a check for non-linear SKBs and linearizing them before reassembly.

Impact

Exploitation of this vulnerability leads to a kernel panic, causing a crash of the affected system.

Reproduction

The vulnerability can be reproduced by sending fragmented IP packets through a tunnel that uses IP-TFS. The first fragment can be processed without issue, but when a subsequent fragment is received that does not meet the fast-path conditions, the reassembly process will attempt to use 'skb_put()' to append the data. This will trigger the SKB_LINEAR_ASSERT check, causing a panic.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.