CVE-2024-49948

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: The issue arises from insufficient sanity checks in the qdisc pkt len init() function, specifically when handling SKB GSO DODGY packets. The virtio net hdr to skb() function does not fully dissect TCP headers, only ensuring they are at least 20 bytes long. This allows a user to craft a malicious 'GSO' packet with a total length of 80 bytes, comprising a 20-byte IPv4 header, a 60-byte TCP header, and a small gso size like 8. As a result, virtio net hdr to skb() would incorrectly identify this packet as a normal GSO packet due to the perceived payload size being larger than gso size. This can lead to an underflow in qdisc skb cb(skb)->pkt len.

Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider implementing additional sanity checks for SKB GSO DODGY packets to prevent underflow in qdisc skb cb(skb)->pkt len. Restrict the use of virtio net hdr to skb() function until the update is applied to minimize the risk of exploitation.