CVE-2021-47036: Linux Kernel Vulnerability in udp_gro_receive() Resolved - L4 Aggregation for UDP Tunnel Packets Now Skipped

A vulnerability (CVE-2021-47036) has been resolved in the Linux kernel that could lead to inner protocol corruption if certain conditions were met regarding the Layer 4 (L4) aggregation of User Datagram Protocol (UDP) tunnel packets. This post explores the details of the patch, describes the vulnerability's potential impact, and provides links to original references for further information. This patch is important as it can help secure Linux systems against potential attack vectors and prevent several related network issues, such as ignoring inner headers and TCP packet delays.

Vulnerability Exploit Details

The vulnerability in question lies within the udp_gro_receive() function, which could end up performing L4 aggregation (either SKB_GSO_UDP_L4 or SKB_GSO_FRAGLIST) for packets carrying a UDP tunnel header if these two conditions were met:

There are UDP tunnels available in the system.

When this occurs, the inner protocol could become corrupted, leading to possible security risks and network issues. For example, if packets contained a Virtual Extensible LAN (VXLAN) header, the engine would incorrectly aggregate different VXLAN ids into the same GSO packet. Additionally, inner headers would be ignored, causing delays in TCP packets over VXLAN.

Patch Details

The patch addresses this issue by skipping the SKB_GSO_UDP_L4 and SKB_GSO_FRAGLIST code paths when the current packet could belong to a UDP tunnel. Instead, udp_gro_receive() will use GRO via udp_sk(sk)->gro_receive.

It should be noted that the check implemented in this patch is broader than strictly necessary, as it may end up skipping GRO entirely for some packets if a UDP tunnel is configured on top of a different device. However, this is considered a corner case, and accounting for it would increase complexity.

Here's a snippet of the code patch

if (skb_Gro_remcsum_processing && encap) {
...
  if (!IS_ENABLED(CONFIG_NETIF_F_GRO_FRAGLIST)
      skb_shinfo(skb)->gso_type &= ~SKB_GSO_FRAGLIST;
  }

Original References and Additional Resources

1. For the complete patch details, visit the Linux kernel repository on GitHub: udp: skip L4 aggregation for UDP tunnel packets
2. For more information on the User Datagram Protocol (UDP), refer to the Internet Engineering Task Force's (IETF) UDP Specification
3. For more information on Virtual Extensible LAN (VXLAN), refer to the IETF's VXLAN Specification
4. To learn more about Linux kernel vulnerabilities, visit the National Vulnerability Database

Conclusion

The discovered vulnerability in the Linux kernel, CVE-2021-47036, has been resolved with an update in the udp_gro_receive() function that now correctly prevents L4 aggregation for UDP tunnel packets. This fix is crucial in maintaining a secure and well-functioning network environment using Linux. Stay informed and up-to-date on the latest patches, vulnerabilities, and best practices to ensure your systems are protected against potential threats.

Timeline

Published on: 02/28/2024 09:15:39 UTC
Last modified on: 02/28/2024 14:06:45 UTC