In the Linux kernel, the following vulnerability has been resolved:
net: missing check virtio
Two missing check in virtionethdrtoskb() allowed syzbot to crash kernels again
After the skbsegment function the buffer may become non-linear (nrfrags != 0), but since the SKBTXSHAREDFRAG flag is not set anywhere the _skblinearize function will not be executed, then the buffer will remain non-linear. Then the condition (offset >= skbheadlen(skb)) becomes true, which causes WARNONONCE in skbchecksum_help.
The struct skbuff and struct virtionethdr members must be mathematically related. (gsosize) must be greater than (needed) otherwise WARNONONCE. (remainder) must be greater than (needed) otherwise WARNONONCE. (remainder) may be 0 if division is without remainder.
offset+2 (4191) > skbheadlen() (1116) WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skbchecksumhelp+0x5e2/0x740 net/core/dev.c:3303 Modules linked in: CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skbchecksumhelp+0x5e2/0x740 net/core/dev.c:3303 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ipdofragment+0xa1b/0x18b0 net/ipv4/ipoutput.c:777 ipfragment.constprop.0+0x161/0x230 net/ipv4/ipoutput.c:584 ipfinishoutputgso net/ipv4/ipoutput.c:286 [inline] _ipfinishoutput net/ipv4/ipoutput.c:308 [inline] _ipfinishoutput+0x49c/0x650 net/ipv4/ipoutput.c:295 ipfinishoutput+0x31/0x310 net/ipv4/ipoutput.c:323 NFHOOKCOND include/linux/netfilter.h:303 [inline] ipoutput+0x13b/0x2a0 net/ipv4/ipoutput.c:433 dstoutput include/net/dst.h:451 [inline] iplocalout+0xaf/0x1a0 net/ipv4/ipoutput.c:129 iptunnelxmit+0x5b4/0x9b0 net/ipv4/iptunnelcore.c:82 ipip6tunnelxmit net/ipv6/sit.c:1034 [inline] sittunnelxmit+0xed2/0x28f0 net/ipv6/sit.c:1076 _netdevstartxmit include/linux/netdevice.h:4940 [inline] netdevstartxmit include/linux/netdevice.h:4954 [inline] xmitone net/core/dev.c:3545 [inline] devhardstartxmit+0x13d/0x6d0 net/core/dev.c:3561 _devqueuexmit+0x7c1/0x3d60 net/core/dev.c:4346 devqueuexmit include/linux/netdevice.h:3134 [inline] packetxmit+0x257/0x380 net/packet/afpacket.c:276 packetsnd net/packet/afpacket.c:3087 [inline] packetsendmsg+0x24ca/0x5240 net/packet/afpacket.c:3119 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0xd5/0x180 net/socket.c:745 _syssendto+0x255/0x340 net/socket.c:2190 _dosyssendto net/socket.c:2202 [inline] _sesyssendto net/socket.c:2198 [inline] _x64syssendto+0xe0/0x1b0 net/socket.c:2198 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x40/0x110 arch/x86/entry/common.c:82 entrySYSCALL64after_hwframe+0x63/0x6b
Found by Linux Verification Center (linuxtesting.org) with Syzkaller