Linux Kernel Zero-Copy Fragment Merging Vulnerability in GRO Processing

A vulnerability in the Linux kernel's Generic Receive Offload (GRO) handling can lead to a use-after-free condition. The issue arises because the GRO function can merge packet fragments from zero-copy sockets without properly managing the reference counts of the underlying memory pages. This flaw is present in the stable Linux kernel and affects several versions. When the last packet in the GRO chain or the source packet is zero-copy, the packets should not be merged. The vulnerability has been addressed by modifying the GRO function to check the zero-copy status before merging packets.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, potentially leading to memory corruption or arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending network packets using a zero-copy socket, which bypasses the normal memory management for packet fragments. When these packets are processed with Generic Receive Offload enabled, the kernel can incorrectly merge packet fragments, leading to a use-after-free condition.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.