CVE-2021-47036 in Linux
Summary
by MITRE • 02/28/2024
In the Linux kernel, the following vulnerability has been resolved:
udp: skip L4 aggregation for UDP tunnel packets
If NETIF_F_GRO_FRAGLIST or NETIF_F_GRO_UDP_FWD are enabled, and there are UDP tunnels available in the system, udp_gro_receive() could end-up doing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) at the outer UDP tunnel level for packets effectively carrying and UDP tunnel header.
That could cause inner protocol corruption. If e.g. the relevant packets carry a vxlan header, different vxlan ids will be ignored/ aggregated to the same GSO packet. Inner headers will be ignored, too, so that e.g. TCP over vxlan push packets will be held in the GRO engine till the next flush, etc.
Just skip the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code path if the current packet could land in a UDP tunnel, and let udp_gro_receive() do GRO via udp_sk(sk)->gro_receive.
The check implemented in this patch is broader than what is strictly needed, as the existing UDP tunnel could be e.g. configured on top of a different device: we could end-up skipping GRO at-all for some packets.
Anyhow, that is a very thin corner case and covering it will add quite a bit of complexity.
v1 -> v2: - hopefully clarify the commit message
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/10/2025
The vulnerability described in CVE-2021-47036 resides within the Linux kernel's network stack implementation, specifically affecting the Generic Receive Offload (GRO) functionality for User Datagram Protocol (UDP) packets. This issue manifests when the kernel attempts to perform Layer 4 aggregation on UDP tunnel packets, creating a scenario where inner protocol headers become corrupted during the GRO process. The problem occurs when network interface features NETIF_F_GRO_FRAGLIST and NETIF_F_GRO_UDP_FWD are enabled, which are commonly used to optimize network packet processing by combining multiple packets into single larger packets. The vulnerability is particularly concerning because it affects the fundamental packet handling mechanism that underlies network virtualization technologies and tunneling protocols.
The technical flaw stems from the udp_gro_receive() function's handling of UDP tunnel packets, where it incorrectly applies Layer 4 aggregation techniques at the outer UDP tunnel level for packets that actually contain inner UDP tunnel headers. This misapplication results in the corruption of inner protocol information, particularly affecting Virtual eXtensible Local Area Network (VXLAN) implementations where different VXLAN identifiers get aggregated into the same Generic Segmentation Offload (GSO) packet. The consequence is that TCP packets carried over VXLAN tunnels may be held indefinitely in the GRO engine until the next flush operation occurs, effectively creating a denial of service condition. This behavior directly violates the expected packet processing semantics and compromises network reliability. The vulnerability maps to CWE-129, which addresses improper validation of array indices, and aligns with ATT&CK technique T1499.004 for network denial of service attacks.
The operational impact of this vulnerability extends beyond simple packet corruption to potentially disrupt network services that rely heavily on tunneling technologies. Network administrators using systems with enabled GRO features and UDP tunneling capabilities face the risk of intermittent connectivity issues, packet loss, and degraded performance. The vulnerability is particularly dangerous in virtualized environments where VXLAN and other tunneling protocols are extensively used, as it can cause cascading failures throughout the network infrastructure. Systems affected include any Linux kernel version that implements the problematic GRO aggregation logic and has UDP tunneling support enabled. The patch addresses this by implementing a broader check that skips the problematic SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code paths when dealing with UDP tunnel packets, ensuring that such packets are handled through the standard udp_sk(sk)->gro_receive() path instead. This approach, while potentially more conservative than strictly necessary, provides a robust solution that prevents the corruption of inner protocol headers and maintains the integrity of network packet processing across tunneling implementations. The mitigation strategy effectively prevents the specific aggregation patterns that lead to inner header corruption while preserving the performance benefits of GRO for non-tunnel traffic.