In the Linux kernel, the following vulnerability has been resolved: net: skbuff: preserve shared-frag marker during coalescing skb_try_coalesce() can attach paged frags from @from to @to. If @from has SKBFL_SHARED_FRAG set, the resulting @to skb can contain the same externally-owned or page-cache-backed frags, but the shared-frag marker is currently lost. That breaks the invariant relied on by later in-place writers. In particular, ESP input checks skb_has_shared_frag() before deciding whether an uncloned nonlinear skb can skip skb_cow_data(). If TCP receive coalescing has moved shared frags into an unmarked skb, ESP can see skb_has_shared_frag() as false and decrypt in place over page-cache backed frags. Propagate SKBFL_SHARED_FRAG when skb_try_coalesce() transfers paged frags. The tailroom copy path does not need the marker because it copies bytes into @to's linear data rather than transferring frag descriptors.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | HIGH |
| Integrity Impact | HIGH |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
CWE-787
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x76f04d9f8f40> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x76f04d9f8d80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x76f018704380> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x76efd26c27c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x76f04d9f9880> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x76efcb9e12c0> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x76efcb9e2b40> | Operating System |
| linux | linux_kernel | 7.1 | <built-in method update of dict object at 0x76efd2749e80> | Operating System |
| linux | linux_kernel | 7.1 | <built-in method update of dict object at 0x76efd2a89440> | Operating System |
| linux | linux_kernel | 7.1 | <built-in method update of dict object at 0x76efcb9e3e40> | Operating System |
| linux | linux_kernel | 7.1 | <built-in method update of dict object at 0x76f04d9fa040> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.1:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.1:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.1:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:7.1:rc4:*:*:*:*:*:* |