Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's network scheduler checksum action (act_csum). The function tcf_csum_act() processes nested VLAN headers by reading data directly from the packet buffer (skb->data) without first verifying that the entire VLAN header is present in the linear portion of the buffer.

Specifically, it reads the h_vlan_encapsulated_proto field and then pulls VLAN_HLEN bytes without ensuring the full VLAN header is available. If only part of the inner VLAN header is linearized, this can cause the code to read beyond the linear area, potentially violating skb buffer invariants.

The fix requires checking with pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header. If the full header is not available, the packet is dropped through an existing error path.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can lead to improper handling of network packets with nested VLAN headers, potentially causing the kernel to read beyond the intended memory area in the packet buffer.

Such out-of-bounds reads may violate kernel memory safety invariants, which could result in kernel instability, crashes, or other unpredictable behavior.

While the description does not explicitly mention exploitation scenarios, memory safety violations in the kernel can sometimes be leveraged for denial of service or privilege escalation.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability is resolved by ensuring that the Linux kernel code validates nested VLAN headers properly by requiring pskb_may_pull(skb, VLAN_HLEN) before accessing and pulling each nested VLAN header.

To mitigate this vulnerability immediately, update your Linux kernel to a version that includes this fix, as it prevents reading past the linear area and dropping malformed packets safely.

Useful 0 Not Useful 0