{"id":"CVE-2024-26804","summary":"net: ip_tunnel: prevent perpetual headroom growth","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ip_tunnel: prevent perpetual headroom growth\n\nsyzkaller triggered following kasan splat:\nBUG: KASAN: use-after-free in __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\nRead of size 1 at addr ffff88812fb4000e by task syz-executor183/5191\n[..]\n kasan_report+0xda/0x110 mm/kasan/report.c:588\n __skb_flow_dissect+0x19d1/0x7a50 net/core/flow_dissector.c:1170\n skb_flow_dissect_flow_keys include/linux/skbuff.h:1514 [inline]\n ___skb_get_hash net/core/flow_dissector.c:1791 [inline]\n __skb_get_hash+0xc7/0x540 net/core/flow_dissector.c:1856\n skb_get_hash include/linux/skbuff.h:1556 [inline]\n ip_tunnel_xmit+0x1855/0x33c0 net/ipv4/ip_tunnel.c:748\n ipip_tunnel_xmit+0x3cc/0x4e0 net/ipv4/ipip.c:308\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n __dev_queue_xmit+0x7c1/0x3d60 net/core/dev.c:4349\n dev_queue_xmit include/linux/netdevice.h:3134 [inline]\n neigh_connected_output+0x42c/0x5d0 net/core/neighbour.c:1592\n ...\n ip_finish_output2+0x833/0x2550 net/ipv4/ip_output.c:235\n ip_finish_output+0x31/0x310 net/ipv4/ip_output.c:323\n ..\n iptunnel_xmit+0x5b4/0x9b0 net/ipv4/ip_tunnel_core.c:82\n ip_tunnel_xmit+0x1dbc/0x33c0 net/ipv4/ip_tunnel.c:831\n ipgre_xmit+0x4a1/0x980 net/ipv4/ip_gre.c:665\n __netdev_start_xmit include/linux/netdevice.h:4940 [inline]\n netdev_start_xmit include/linux/netdevice.h:4954 [inline]\n xmit_one net/core/dev.c:3548 [inline]\n dev_hard_start_xmit+0x13d/0x6d0 net/core/dev.c:3564\n ...\n\nThe splat occurs because skb-\u003edata points past skb-\u003ehead allocated area.\nThis is because neigh layer does:\n  __skb_pull(skb, skb_network_offset(skb));\n\n... but skb_network_offset() returns a negative offset and __skb_pull()\narg is unsigned.  IOW, we skb-\u003edata gets \"adjusted\" by a huge value.\n\nThe negative value is returned because skb-\u003ehead and skb-\u003edata distance is\nmore than 64k and skb-\u003enetwork_header (u16) has wrapped around.\n\nThe bug is in the ip_tunnel infrastructure, which can cause\ndev-\u003eneeded_headroom to increment ad infinitum.\n\nThe syzkaller reproducer consists of packets getting routed via a gre\ntunnel, and route of gre encapsulated packets pointing at another (ipip)\ntunnel.  The ipip encapsulation finds gre0 as next output device.\n\nThis results in the following pattern:\n\n1). First packet is to be sent out via gre0.\nRoute lookup found an output device, ipip0.\n\n2).\nip_tunnel_xmit for gre0 bumps gre0-\u003eneeded_headroom based on the future\noutput device, rt.dev-\u003eneeded_headroom (ipip0).\n\n3).\nip output / start_xmit moves skb on to ipip0. which runs the same\ncode path again (xmit recursion).\n\n4).\nRouting step for the post-gre0-encap packet finds gre0 as output device\nto use for ipip0 encapsulated packet.\n\ntunl0-\u003eneeded_headroom is then incremented based on the (already bumped)\ngre0 device headroom.\n\nThis repeats for every future packet:\n\ngre0-\u003eneeded_headroom gets inflated because previous packets' ipip0 step\nincremented rt-\u003edev (gre0) headroom, and ipip0 incremented because gre0\nneeded_headroom was increased.\n\nFor each subsequent packet, gre/ipip0-\u003eneeded_headroom grows until\npost-expand-head reallocations result in a skb-\u003ehead/data distance of\nmore than 64k.\n\nOnce that happens, skb-\u003enetwork_header (u16) wraps around when\npskb_expand_head tries to make sure that skb_network_offset() is unchanged\nafter the headroom expansion/reallocation.\n\nAfter this skb_network_offset(skb) returns a different (and negative)\nresult post headroom expansion.\n\nThe next trip to neigh layer (or anything else that would __skb_pull the\nnetwork header) makes skb-\u003edata point to a memory location outside\nskb-\u003ehead area.\n\nv2: Cap the needed_headroom update to an arbitarily chosen upperlimit to\nprevent perpetual increase instead of dropping the headroom increment\ncompletely.","modified":"2026-04-03T13:14:43.051843Z","published":"2024-04-04T08:20:31.305Z","related":["ALSA-2024:3306","ALSA-2024:4211","ALSA-2024:4352","SUSE-SU-2024:3551-1","SUSE-SU-2024:3553-1","SUSE-SU-2024:3561-1","SUSE-SU-2024:3564-1","SUSE-SU-2024:3569-1","SUSE-SU-2024:3587-1","SUSE-SU-2024:3592-1","SUSE-SU-2024:4100-1","SUSE-SU-2025:0034-1","SUSE-SU-2025:01966-1","SUSE-SU-2025:01983-1","SUSE-SU-2025:02173-1","SUSE-SU-2025:20073-1","SUSE-SU-2025:20077-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26804.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/049d7989c67e8dd50f07a2096dbafdb41331fb9b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2e95350fe9db9d53c701075060ac8ac883b68aee"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9"},{"type":"WEB","url":"https://git.kernel.org/stable/c/ab63de24ebea36fe73ac7121738595d704b66d96"},{"type":"WEB","url":"https://git.kernel.org/stable/c/afec0c5cd2ed71ca95a8b36a5e6d03333bf34282"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f81e94d2dcd2397137edcb8b85f4c5bed5d22383"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26804.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26804"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"243aad830e8a4cdda261626fbaeddde16b08d04a"},{"fixed":"f81e94d2dcd2397137edcb8b85f4c5bed5d22383"},{"fixed":"2e95350fe9db9d53c701075060ac8ac883b68aee"},{"fixed":"afec0c5cd2ed71ca95a8b36a5e6d03333bf34282"},{"fixed":"ab63de24ebea36fe73ac7121738595d704b66d96"},{"fixed":"a0a1db40b23e8ff86dea2786c5ea1470bb23ecb9"},{"fixed":"049d7989c67e8dd50f07a2096dbafdb41331fb9b"},{"fixed":"5ae1e9922bbdbaeb9cfbe91085ab75927488ac0f"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"03017375b0122453e6dda833ff7bd4191915def5"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26804.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}