CVE-2025-21629

net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with
extension headers on devices that advertise NETIF_F_IPV6_CSUM,
based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to checksum plain * TCP or UDP packets over IPv6. These are specifically * unencapsulated packets of the form IPv6|TCP or * IPv6|UDP where the Next Header field in the IPv6 * header is either TCP or UDP. IPv6 extension headers * are not supported with this feature. This feature * cannot be set in features for a device with * NETIF_F_HW_CSUM also set. This feature is being * DEPRECATED (see below). The change causes skb_warn_bad_offload to fire for BIG TCP
packets. [ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0 [ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0
[ 496.310300] skb_checksum_help+0x129/0x1f0
[ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0
[ 496.310306] validate_xmit_skb+0x159/0x270
[ 496.310309] validate_xmit_skb_list+0x41/0x70
[ 496.310312] sch_direct_xmit+0x5c/0x250
[ 496.310317] __qdisc_run+0x388/0x620 BIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to
communicate packet length, as this is an IPv6 jumbogram. But, the
feature is only enabled on devices that support BIG TCP TSO. The
header is only present for PF_PACKET taps like tcpdump, and not
transmitted by physical devices. For this specific case of extension headers that are not
transmitted, return to the situation before the blamed commit
and support hardware offload. ipv6_has_hopopt_jumbo() tests not only whether this header is present,
but also that it is the only extension header before a terminal (L4)
header.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: volver a habilitar la descarga de NETIF_F_IPV6_CSUM para paquetes TCP GRANDES La confirmación culpable deshabilitó la descarga de hardware de paquetes IPv6 con encabezados de extensión en dispositivos que anuncian NETIF_F_IPV6_CSUM, según la definición de esa característica en skbuff.h: * * - %NETIF_F_IPV6_CSUM * - El controlador (dispositivo) solo puede realizar la suma de comprobación de paquetes TCP o UDP simples sobre IPv6. Estos son específicamente * paquetes no encapsulados del formato IPv6|TCP o * IPv6|UDP donde el campo Encabezado siguiente en el encabezado IPv6 * es TCP o UDP. Los encabezados de extensión IPv6 * no son compatibles con esta característica. Esta característica * no se puede configurar en las características de un dispositivo con * NETIF_F_HW_CSUM también configurado. Esta característica está * OBSOLETA (ver a continuación). El cambio hace que skb_warn_bad_offload se active para paquetes TCP GRANDES. [ 496.310233] ADVERTENCIA: CPU: 13 PID: 23472 en net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0 [ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0 [ 496.310300] skb_checksum_help+0x129/0x1f0 [ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0 [ 496.310306] validation_xmit_skb+0x159/0x270 [ 496.310309] validation_xmit_skb_list+0x41/0x70 [ 496.310312] sch_direct_xmit+0x5c/0x250 [ 496.310317] __qdisc_run+0x388/0x620 BIG TCP introdujo un encabezado de extensión IPv6_TLV_JUMBO IPv6 para comunicar paquetes longitud, ya que se trata de un jumbograma IPv6. Sin embargo, la función solo está habilitada en dispositivos que admiten BIG TCP TSO. El encabezado solo está presente para las derivaciones PF_PACKET como tcpdump, y no se transmite por dispositivos físicos. Para este caso específico de encabezados de extensión que no se transmiten, regrese a la situación anterior a la confirmación culpable y admita la descarga de hardware. ipv6_has_hopopt_jumbo() prueba no solo si este encabezado está presente, sino también que sea el único encabezado de extensión antes de un encabezado de terminal (L4).

In the Linux kernel, the following vulnerability has been resolved: net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets The blamed commit disabled hardware offoad of IPv6 packets with extension headers on devices that advertise NETIF_F_IPV6_CSUM, based on the definition of that feature in skbuff.h: * * - %NETIF_F_IPV6_CSUM * - Driver (device) is only able to checksum plain * TCP or UDP packets over IPv6. These are specifically * unencapsulated packets of the form IPv6|TCP or * IPv6|UDP where the Next Header field in the IPv6 * header is either TCP or UDP. IPv6 extension headers * are not supported with this feature. This feature * cannot be set in features for a device with * NETIF_F_HW_CSUM also set. This feature is being * DEPRECATED (see below). The change causes skb_warn_bad_offload to fire for BIG TCP packets. [ 496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+0xc4/0xe0 [ 496.310297] ? skb_warn_bad_offload+0xc4/0xe0 [ 496.310300] skb_checksum_help+0x129/0x1f0 [ 496.310303] skb_csum_hwoffload_help+0x150/0x1b0 [ 496.310306] validate_xmit_skb+0x159/0x270 [ 496.310309] validate_xmit_skb_list+0x41/0x70 [ 496.310312] sch_direct_xmit+0x5c/0x250 [ 496.310317] __qdisc_run+0x388/0x620 BIG TCP introduced an IPV6_TLV_JUMBO IPv6 extension header to communicate packet length, as this is an IPv6 jumbogram. But, the feature is only enabled on devices that support BIG TCP TSO. The header is only present for PF_PACKET taps like tcpdump, and not transmitted by physical devices. For this specific case of extension headers that are not transmitted, return to the situation before the blamed commit and support hardware offload. ipv6_has_hopopt_jumbo() tests not only whether this header is present, but also that it is the only extension header before a terminal (L4) header.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-01-15 CVE Published
2025-01-15 CVE Updated
2025-01-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (12)

URL	Tag	Source
https://git.kernel.org/stable/c/a84978a9cda68f0afe3f01d476c68db21526baf1	Vuln. Introduced
https://git.kernel.org/stable/c/c69bc67c1cb211aa390bea6e512bb01b1241fefb	Vuln. Introduced
https://git.kernel.org/stable/c/04c20a9356f283da623903e81e7c6d5df7e4dc3c	Vuln. Introduced
https://git.kernel.org/stable/c/bcefc3cd7f592a70fcbbbfd7ad1fbc69172ea78b	Vuln. Introduced
https://git.kernel.org/stable/c/477b35d94a21530046fe91589960732fcf2b29ed	Vuln. Introduced
https://git.kernel.org/stable/c/a27a5c40ee4cbe00294e2c76160de5f2589061ba	Vuln. Introduced
https://git.kernel.org/stable/c/9f605135a5c0fe614c2b15197b9ced1e217eca59	Vuln. Introduced
https://git.kernel.org/stable/c/705350fbd6ed4b5d89ee045fa57a0594a72b17d7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/ac9cfef69565021c9e1022a493a9c40b03e2caf9	2025-01-09
https://git.kernel.org/stable/c/95ccf006bbc8b59044313b8c309dcf29c546abd4	2025-01-09
https://git.kernel.org/stable/c/d3b7a9c7597b779039a51d7b34116fbe424bf2b7	2025-01-09
https://git.kernel.org/stable/c/68e068cabd2c6c533ef934c2e5151609cf6ecc6d	2025-01-03

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.116 < 6.1.124 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.116 < 6.1.124"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6.60 < 6.6.70 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6.60 < 6.6.70"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12 < 6.12.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12 < 6.12.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.12 < 6.13-rc6 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.12 < 6.13-rc6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.323 Search vendor "Linux" for product "Linux Kernel" and version "4.19.323"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.285 Search vendor "Linux" for product "Linux Kernel" and version "5.4.285"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.229 Search vendor "Linux" for product "Linux Kernel" and version "5.10.229"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.171 Search vendor "Linux" for product "Linux Kernel" and version "5.15.171"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				6.11.7 Search vendor "Linux" for product "Linux Kernel" and version "6.11.7"		en		Affected