Linux Kernel Shared SKB Frag In-Place Decrypt Vulnerability in XFRM ESP

A vulnerability in the Linux kernel's handling of shared socket buffer (skb) fragments can lead to improper decryption of ESP (Encapsulating Security Payload) data in UDP (User Datagram Protocol) packets. This issue arises because the kernel does not correctly mark shared fragments when splicing pages from a pipe into UDP socket buffers, leaving the ESP-in-UDP packets vulnerable. As a result, the ESP input processing can decrypt data in place over regions not privately owned by the skb, potentially leading to data corruption or other unintended consequences.

Impact

Exploitation of this vulnerability can cause incorrect decryption of ESP data, allowing for potential manipulation or corruption of the decrypted payload.

Reproduction

The vulnerability can be reproduced by sending UDP packets over a pipe that includes shared pages. The kernel's datagram append paths for IPv4 and IPv6 will not set the necessary flag to indicate shared fragments, creating a scenario where the ESP input processing treats the packet as an ordinary uncloned nonlinear skb. This can be achieved by using the MSG_SPLICE_PAGES flag to splice shared pipe pages into UDP socket buffers, without the proper fragmentation handling.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading the kernel can be found in the official Linux documentation.