{"uuid": "824a3eb6-0fa0-4689-97cf-f7bb7712c4c1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2022-48936", "type": "seen", "source": "https://t.me/cvedetector/3893", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2022-48936 - Linux Kernel virtue_net IPVS IPip Tunnel GSO Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2022-48936 \nPublished : Aug. 22, 2024, 4:15 a.m. | 31\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \ngso: do not skip outer ip header in case of ipip and net_failover  \n  \nWe encounter a tcp drop issue in our cloud environment. Packet GROed in  \nhost forwards to a VM virtio_net nic with net_failover enabled. VM acts  \nas a IPVS LB with ipip encapsulation. The full path like:  \nhost gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat  \n -> ipip encap -> net_failover tx -> virtio_net tx  \n  \nWhen net_failover transmits a ipip pkt (gso_type = 0x0103, which means  \nSKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso  \ndid because it supports TSO and GSO_IPXIP4. But network_header points to  \ninner ip header.  \n  \nCall Trace:  \n tcp4_gso_segment        ------> return NULL  \n inet_gso_segment        ------> inner iph, network_header points to  \n ipip_gso_segment  \n inet_gso_segment        ------> outer iph  \n skb_mac_gso_segment  \n  \nAfterwards virtio_net transmits the pkt, only inner ip header is modified.  \nAnd the outer one just keeps unchanged. The pkt will be dropped in remote  \nhost.  \n  \nCall Trace:  \n inet_gso_segment        ------> inner iph, outer iph is skipped  \n skb_mac_gso_segment  \n __skb_gso_segment  \n validate_xmit_skb  \n validate_xmit_skb_list  \n sch_direct_xmit  \n __qdisc_run  \n __dev_queue_xmit        ------> virtio_net  \n dev_hard_start_xmit  \n __dev_queue_xmit        ------> net_failover  \n ip_finish_output2  \n ip_output  \n iptunnel_xmit  \n ip_tunnel_xmit  \n ipip_tunnel_xmit        ------> ipip  \n dev_hard_start_xmit  \n __dev_queue_xmit  \n ip_finish_output2  \n ip_output  \n ip_forward  \n ip_rcv  \n __netif_receive_skb_one_core  \n netif_receive_skb_internal  \n napi_gro_receive  \n receive_buf  \n virtnet_poll  \n net_rx_action  \n  \nThe root cause of this issue is specific with the rare combination of  \nSKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option.  \nSKB_GSO_DODGY is set from external virtio_net. We need to reset network  \nheader when callbacks.gso_segment() returns NULL.  \n  \nThis patch also includes ipv6_gso_segment(), considering SIT, etc. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"22 Aug 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-08-22T06:49:31.000000Z"}