CVE-2025-21629: Resolving Linux Kernel Vulnerability in net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets

For those following the updates in the Linux Kernel, a recent vulnerability called CVE-2025-21629 has been discovered and resolved which concerns the offloading of IPv6 packets with extension headers on devices advertising NETIF_F_IPV6_CSUM. This article provides the details of the issue, the changes made to address the vulnerability, and how to avoid it.

Background

The vulnerability stems from the disabling of hardware offload of IPv6 packets with extension headers on devices that support NETIF_F_IPV6_CSUM. This feature is mentioned in the skbuff.h file and is mainly responsible for offloading the checksum of plain TCP or UDP packets over IPv6 (reference).

However, due to the nature of this feature, skb_warn_bad_offload can be triggered for BIG TCP packets (source code).

Issue Details

The issue with NETIF_F_IPV6_CSUM resides in the fact that it was not able to support IPv6 extension headers. This caused problems with BIG TCP packets since they introduced an IPV6_TLV_JUMBO extension header in order to communicate packet length.

Here is a sample code snippet showcasing the problem

[  496.310233] WARNING: CPU: 13 PID: 23472 at net/core/dev.c:3129 skb_warn_bad_offload+xc4/xe
[  496.310297]  ? skb_warn_bad_offload+xc4/xe
[  496.310300]  skb_checksum_help+x129/x1f
[  496.310303]  skb_csum_hwoffload_help+x150/x1b
[  496.310306]  validate_xmit_skb+x159/x270
[  496.310309]  validate_xmit_skb_list+x41/x70
[  496.310312]  sch_direct_xmit+x5c/x250
[  496.310317]  __qdisc_run+x388/x620

This specific problem occurs because the IPV6_TLV_JUMBO extension headers were only enabled on devices supporting BIG TCP TSO and not present for physical devices. This resulted in the hardware offload not fully supporting IPv6 extension headers.

Solution

To resolve this vulnerability, devices supporting hardware offload now return to the previous situation before the blamed commit and continue to fully support IPv6 extension headers. This is achieved by identifying the presence of the IPV6_TLV_JUMBO extension header and ensuring that it is the only extension header before a terminal (Layer 4) header. This can be done using the ipv6_has_hopopt_jumbo() function, which checks for this header and verifies that it is the only one present before a terminal (L4) header.

Conclusion

CVE-2025-21629 demonstrates the importance of keeping up to date with changes in the Linux Kernel. By identifying this vulnerability, developers were able to address the problem and improve the security, functionality, and overall performance of the Linux Kernel. To ensure the safety and security of your systems, always stay informed about vulnerabilities and updates, and apply patches as necessary.

Timeline

Published on: 01/15/2025 13:15:15 UTC
Last modified on: 01/20/2025 06:29:46 UTC