CVE-2022-49872 in Linuxinfo

Summary

by MITRE • 05/01/2025

In the Linux kernel, the following vulnerability has been resolved:

net: gso: fix panic on frag_list with mixed head alloc types

Since commit 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list"), it is allowed to change gso_size of a GRO packet. However, that commit assumes that "checking the first list_skb member suffices; i.e if either of the list_skb members have non head_frag head, then the first one has too".

It turns out this assumption does not hold. We've seen BUG_ON being hit in skb_segment when skbs on the frag_list had differing head_frag with the vmxnet3 driver. This happens because __netdev_alloc_skb and __napi_alloc_skb can return a skb that is page backed or kmalloced depending on the requested size. As the result, the last small skb in the GRO packet can be kmalloced.

There are three different locations where this can be fixed:

(1) We could check head_frag in GRO and not allow GROing skbs with different head_frag. However, that would lead to performance regression on normal forward paths with unmodified gso_size, where !head_frag in the last packet is not a problem.

(2) Set a flag in bpf_skb_net_grow and bpf_skb_net_shrink indicating that NETIF_F_SG is undesirable. That would need to eat a bit in sk_buff. Furthermore, that flag can be unset when all skbs on the frag_list are page backed. To retain good performance, bpf_skb_net_grow/shrink would have to walk the frag_list.

(3) Walk the frag_list in skb_segment when determining whether NETIF_F_SG should be cleared. This of course slows things down.

This patch implements (3). To limit the performance impact in skb_segment, the list is walked only for skbs with SKB_GSO_DODGY set that have gso_size changed. Normal paths thus will not hit it.

We could check only the last skb but since we need to walk the whole list anyway, let's stay on the safe side.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 11/11/2025

The vulnerability described in CVE-2022-49872 represents a critical panic condition within the Linux kernel's networking subsystem, specifically affecting the Generic Segmentation Offload (GSO) functionality. This issue manifests when processing fragmented network packets that contain a mix of different memory allocation types for their head fragments, creating a scenario where the kernel's packet segmentation logic fails catastrophically. The problem originates from a flawed assumption made in commit 3dcbdb134f32, which attempted to address a similar GRO packet handling issue but introduced a new vulnerability by assuming that checking only the first list_skb member would suffice for determining head_frag allocation types across the entire fragment list.

The technical flaw stems from the inconsistent memory allocation behavior of the networking subsystem where different allocation paths can return skbs with varying head fragment characteristics. Specifically, the __netdev_alloc_skb and __napi_alloc_skb functions can return skbs that are either page-backed or kmalloced depending on the requested size, creating scenarios where the last small skb in a GRO packet might be kmalloced while others remain page-backed. This inconsistency triggers a BUG_ON condition in the skb_segment function when processing frag_list structures with mixed head allocation types, leading to kernel panics that can compromise system stability and availability.

The operational impact of this vulnerability extends beyond simple system crashes to potentially affect network throughput and service availability across affected systems. When triggered, the panic condition causes immediate kernel termination, requiring system restarts and potentially leading to data loss or service disruption in network-intensive environments. The vulnerability is particularly concerning because it can be exploited through normal network traffic processing, making it a latent threat that doesn't require special privileges or unusual conditions to manifest. This aligns with ATT&CK technique T1499.004 for network denial of service and CWE-248 for unspecified other flaws in kernel networking components.

The resolution implemented addresses the issue by walking the entire frag_list in the skb_segment function when determining whether NETIF_F_SG should be cleared, specifically targeting only those skbs with SKB_GSO_DODGY set and gso_size changes. This approach limits performance impact by avoiding the additional list traversal in normal processing paths while ensuring correctness when mixed allocation types are detected. The solution acknowledges that checking only the last skb would be insufficient and opts for a more comprehensive approach that maintains system performance while preventing the panic condition. This implementation follows security best practices by implementing defensive programming techniques that validate assumptions about data structures before proceeding with operations, preventing the exploitation of inconsistent memory allocation patterns that could otherwise lead to system instability.

The fix demonstrates proper vulnerability management by addressing the root cause rather than implementing superficial workarounds, maintaining the intended functionality of GSO processing while preventing the specific panic condition. The approach of selective list traversal based on specific conditions ensures that performance is maintained for normal operations while providing the necessary safety checks for edge cases involving mixed allocation types. This resolution reflects a mature understanding of kernel networking complexities and the importance of maintaining consistency in memory management patterns across different subsystem components, particularly in high-performance networking contexts where such vulnerabilities can have significant operational consequences.

Responsible

Linux

Reservation

05/01/2025

Disclosure

05/01/2025

Moderation

accepted

CPE

ready

EPSS

0.00166

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!