IM
IronMonkey Threat Research

CVE-2025-38124 MEDIUM

Published: 2025-07-03 | Last Modified: 2026-05-12 | Status: Modified

Description

In the Linux kernel, the following vulnerability has been resolved: net: fix udp gso skb_segment after pull from frag_list Commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detected invalid geometry in frag_list skbs and redirects them from skb_segment_list to more robust skb_segment. But some packets with modified geometry can also hit bugs in that code. We don't know how many such cases exist. Addressing each one by one also requires touching the complex skb_segment code, which risks introducing bugs for other types of skbs. Instead, linearize all these packets that fail the basic invariants on gso fraglist skbs. That is more robust. If only part of the fraglist payload is pulled into head_skb, it will always cause exception when splitting skbs by skb_segment. For detailed call stack information, see below. Valid SKB_GSO_FRAGLIST skbs - consist of two or more segments - the head_skb holds the protocol headers plus first gso_size - one or more frag_list skbs hold exactly one segment - all but the last must be gso_size Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can modify fraglist skbs, breaking these invariants. In extreme cases they pull one part of data into skb linear. For UDP, this causes three payloads with lengths of (11,11,10) bytes were pulled tail to become (12,10,10) bytes. The skbs no longer meets the above SKB_GSO_FRAGLIST conditions because payload was pulled into head_skb, it needs to be linearized before pass to regular skb_segment. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770

Additional Descriptions (1)

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: fix udp gso skb_segment after pull from frag_list. El commit a1e40ac5b5e9 ("net: gso: fix udp gso fraglist segmentation after pull from frag_list") detectó una geometría no válida en los skbs de frag_list y los redirige de skb_segment_list a un skb_segment más robusto. Sin embargo, algunos paquetes con geometría modificada también pueden presentar errores en ese código. Desconocemos cuántos casos de este tipo existen. Abordar cada uno por separado también requiere modificar el complejo código de skb_segment, lo que podría introducir errores en otros tipos de skbs. En su lugar, se linealizan todos los paquetes que no cumplen con las invariantes básicas en los skbs de fraglist gso. Esto es más robusto. Si solo se extrae una parte de el payload de fraglist en head_skb, siempre se generará una excepción al dividir los skbs por skb_segment. Para obtener información detallada de la pila de llamadas, consulte a continuación. SKB_GSO_FRAGLIST skbs válidos: constan de dos o más segmentos: head_skb contiene los encabezados de protocolo más el primer gso_size: uno o más frag_list skbs contienen exactamente un segmento; todos, excepto el último, deben ser gso_size Los ganchos de ruta de datos opcionales, como NAT y BPF (bpf_skb_pull_data), pueden modificar fraglist skbs, rompiendo estos invariantes. En casos extremos, extraen una parte de los datos en skb lineal. Para UDP, esto hace que se extraigan tres payloads con longitudes de (11,11,10) bytes para convertirse en (12,10,10) bytes. El skbs ya no cumple con las condiciones SKB_GSO_FRAGLIST anteriores porque el payload se extrajo en head_skb; debe linealizarse antes de pasarse a skb_segment regular. skb_segment+0xcd0/0xd14 __udp_gso_segment+0x334/0x5f4 udp4_ufo_fragment+0x118/0x15c inet_gso_segment+0x164/0x338 skb_mac_gso_segment+0xc4/0x13c __skb_gso_segment+0xc4/0x124 validate_xmit_skb+0x9c/0x2c0 validate_xmit_skb_list+0x4c/0x80 sch_direct_xmit+0x70/0x404 __dev_queue_xmit+0x64c/0xe5c neigh_resolve_output+0x178/0x1c4 ip_finish_output2+0x37c/0x47c __ip_finish_output+0x194/0x240 ip_finish_output+0x20/0xf4 ip_output+0x100/0x1a0 NF_HOOK+0xc4/0x16c ip_forward+0x314/0x32c ip_rcv+0x90/0x118 __netif_receive_skb+0x74/0x124 process_backlog+0xe8/0x1a4 __napi_poll+0x5c/0x1f8 net_rx_action+0x154/0x314 handle_softirqs+0x154/0x4b8 [118.376811] [C201134] rxq0_pus: [name:bug&]kernel BUG at net/core/skbuff.c:4278! [118.376829] [C201134] rxq0_pus: [name:traps&]Internal error: Oops - BUG: 00000000f2000800 [#1] PREEMPT SMP [118.470774] [C201134] rxq0_pus: [name:mrdump&]Kernel Offset: 0x178cc00000 from 0xffffffc008000000 [118.470810] [C201134] rxq0_pus: [name:mrdump&]PHYS_OFFSET: 0x40000000 [118.470827] [C201134] rxq0_pus: [name:mrdump&]pstate: 60400005 (nZCv daif +PAN -UAO) [118.470848] [C201134] rxq0_pus: [name:mrdump&]pc : [0xffffffd79598aefc] skb_segment+0xcd0/0xd14 [118.470900] [C201134] rxq0_pus: [name:mrdump&]lr : [0xffffffd79598a5e8] skb_segment+0x3bc/0xd14 [118.470928] [C201134] rxq0_pus: [name:mrdump&]sp : ffffffc008013770

CVSS Metrics

Base Score: 5.5 (MEDIUM)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack VectorLOCAL
Attack ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
ScopeUNCHANGED
Confidentiality ImpactNONE
Integrity ImpactNONE
Availability ImpactHIGH

Source: [email protected]

Type: Primary

Exploitability Score: 1.8

Impact Score: 3.6

Weaknesses

Source Type Description
[email protected] Primary
en CWE-401

Affected Products

Vendor Product Version Update Type
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bf880> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd6af400> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bcc00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd6ae480> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd9bef00> Operating System
linux linux_kernel * <built-in method update of dict object at 0x702bdd6ac180> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd6ad400> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd6aff00> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd6ad380> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd9be2c0> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd9bc5c0> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd6ae380> Operating System
linux linux_kernel 6.12 <built-in method update of dict object at 0x702bdd9bffc0> Operating System
debian debian_linux 11.0 <built-in method update of dict object at 0x702bdd6ada00> Operating System

Affected Configurations

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:-:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:rc4:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:rc5:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:rc6:*:*:*:*:*:*
Yes cpe:2.3:o:linux:linux_kernel:6.12:rc7:*:*:*:*:*:*

Operator: OR

Vulnerable CPE
Yes cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

References

Notification
Message here