Linux Kernel Shared Fragment Marker Propagation Vulnerability

A vulnerability exists in the Linux kernel's handling of shared fragment markers within the networking stack. Specifically, two fragment transfer helpers, '__pskb_copy_fclone()' and 'skb_shift()', do not properly propagate the SKBFL_SHARED_FRAG bit in the skb_shared_info flags when transferring fragment descriptors from one socket buffer (skb) to another. This oversight can lead to the destination skb incorrectly reporting that it does not have shared fragments, while still holding references to the same externally-owned or page-cache-backed pages. This discrepancy can be exploited by in-place writers that rely on skb_has_shared_frag() to determine whether shared pages need to be copied, such as the ESP input processing in the IPsec protocol.

Impact

The vulnerability allows an unprivileged user to write into the page cache of a root-owned, read-only file, by exploiting the stripped shared fragment marker in the ESP input processing.

Reproduction

To reproduce this vulnerability, apply a single nft 'dup to <local>' rule, or use any other nf_dup_ipv4() / xt_TEE caller. This will trigger the issue by landing a copied skb in the ESP input processing with the shared fragment marker stripped, allowing writes into a root-owned, read-only file via the authencesn-ESN stray writes.

Remediation

The vulnerability has been fixed in the Linux stable tree. Instructions for applying the patch can be found in the official Linux kernel repository.