| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025091145-CVE-2025-39770-6e65@gregkh>
Date: Thu, 11 Sep 2025 18:56:49 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...nel.org>
Subject: CVE-2025-39770: net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
From: Greg Kroah-Hartman <gregkh@...nel.org>
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: gso: Forbid IPv6 TSO with extensions on devices with only IPV6_CSUM
When performing Generic Segmentation Offload (GSO) on an IPv6 packet that
contains extension headers, the kernel incorrectly requests checksum offload
if the egress device only advertises NETIF_F_IPV6_CSUM feature, which has
a strict contract: it supports checksum offload only for plain TCP or UDP
over IPv6 and explicitly does not support packets with extension headers.
The current GSO logic violates this contract by failing to disable the feature
for packets with extension headers, such as those used in GREoIPv6 tunnels.
This violation results in the device being asked to perform an operation
it cannot support, leading to a `skb_warn_bad_offload` warning and a collapse
of network throughput. While device TSO/USO is correctly bypassed in favor
of software GSO for these packets, the GSO stack must be explicitly told not
to request checksum offload.
Mask NETIF_F_IPV6_CSUM, NETIF_F_TSO6 and NETIF_F_GSO_UDP_L4
in gso_features_check if the IPv6 header contains extension headers to compute
checksum in software.
The exception is a BIG TCP extension, which, as stated in commit
68e068cabd2c6c53 ("net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets"):
"The feature is only enabled on devices that support BIG TCP TSO.
The header is only present for PF_PACKET taps like tcpdump,
and not transmitted by physical devices."
kernel log output (truncated):
WARNING: CPU: 1 PID: 5273 at net/core/dev.c:3535 skb_warn_bad_offload+0x81/0x140
...
Call Trace:
<TASK>
skb_checksum_help+0x12a/0x1f0
validate_xmit_skb+0x1a3/0x2d0
validate_xmit_skb_list+0x4f/0x80
sch_direct_xmit+0x1a2/0x380
__dev_xmit_skb+0x242/0x670
__dev_queue_xmit+0x3fc/0x7f0
ip6_finish_output2+0x25e/0x5d0
ip6_finish_output+0x1fc/0x3f0
ip6_tnl_xmit+0x608/0xc00 [ip6_tunnel]
ip6gre_tunnel_xmit+0x1c0/0x390 [ip6_gre]
dev_hard_start_xmit+0x63/0x1c0
__dev_queue_xmit+0x6d0/0x7f0
ip6_finish_output2+0x214/0x5d0
ip6_finish_output+0x1fc/0x3f0
ip6_xmit+0x2ca/0x6f0
ip6_finish_output+0x1fc/0x3f0
ip6_xmit+0x2ca/0x6f0
inet6_csk_xmit+0xeb/0x150
__tcp_transmit_skb+0x555/0xa80
tcp_write_xmit+0x32a/0xe90
tcp_sendmsg_locked+0x437/0x1110
tcp_sendmsg+0x2f/0x50
...
skb linear: 00000000: e4 3d 1a 7d ec 30 e4 3d 1a 7e 5d 90 86 dd 60 0e
skb linear: 00000010: 00 0a 1b 34 3c 40 20 11 00 00 00 00 00 00 00 00
skb linear: 00000020: 00 00 00 00 00 12 20 11 00 00 00 00 00 00 00 00
skb linear: 00000030: 00 00 00 00 00 11 2f 00 04 01 04 01 01 00 00 00
skb linear: 00000040: 86 dd 60 0e 00 0a 1b 00 06 40 20 23 00 00 00 00
skb linear: 00000050: 00 00 00 00 00 00 00 00 00 12 20 23 00 00 00 00
skb linear: 00000060: 00 00 00 00 00 00 00 00 00 11 bf 96 14 51 13 f9
skb linear: 00000070: ae 27 a0 a8 2b e3 80 18 00 40 5b 6f 00 00 01 01
skb linear: 00000080: 08 0a 42 d4 50 d5 4b 70 f8 1a
The Linux kernel CVE team has assigned CVE-2025-39770 to this issue.
Affected and fixed versions
===========================
Issue introduced in 6.1.116 with commit a84978a9cda68f0afe3f01d476c68db21526baf1 and fixed in 6.1.149 with commit a0478d7e888028f85fa7785ea838ce0ca09398e2
Issue introduced in 6.6.60 with commit c69bc67c1cb211aa390bea6e512bb01b1241fefb and fixed in 6.6.103 with commit 2156d9e9f2e483c8c3906c0ea57ea312c1424235
Issue introduced in 6.12 with commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c and fixed in 6.12.44 with commit 041e2f945f82fdbd6fff577b79c33469430297aa
Issue introduced in 6.12 with commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c and fixed in 6.16.4 with commit 794ddbb7b63b6828c75967b9bcd43b086716e7a1
Issue introduced in 6.12 with commit 04c20a9356f283da623903e81e7c6d5df7e4dc3c and fixed in 6.17-rc3 with commit 864e3396976ef41de6cc7bc366276bf4e084fff2
Issue introduced in 4.19.323 with commit bcefc3cd7f592a70fcbbbfd7ad1fbc69172ea78b
Issue introduced in 5.4.285 with commit 477b35d94a21530046fe91589960732fcf2b29ed
Issue introduced in 5.10.229 with commit a27a5c40ee4cbe00294e2c76160de5f2589061ba
Issue introduced in 5.15.171 with commit 9f605135a5c0fe614c2b15197b9ced1e217eca59
Issue introduced in 6.11.7 with commit 705350fbd6ed4b5d89ee045fa57a0594a72b17d7
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2025-39770
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/core/dev.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/a0478d7e888028f85fa7785ea838ce0ca09398e2
https://git.kernel.org/stable/c/2156d9e9f2e483c8c3906c0ea57ea312c1424235
https://git.kernel.org/stable/c/041e2f945f82fdbd6fff577b79c33469430297aa
https://git.kernel.org/stable/c/794ddbb7b63b6828c75967b9bcd43b086716e7a1
https://git.kernel.org/stable/c/864e3396976ef41de6cc7bc366276bf4e084fff2
Powered by blists - more mailing lists