In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtionethdrtoskb() allowed syzbot to crash kernels again 1. After the skbsegment function the buffer may become non-linear (nrfrags != 0), but since the SKBTXSHAREDFRAG flag is not set anywhere the _skblinearize function will not be executed, then the buffer will remain non-linear. Then the condition (offset >= skbheadlen(skb)) becomes true, which causes WARNONONCE in skbchecksumhelp. 2. The struct skbuff and struct virtionethdr members must be mathematically related. (gsosize) must be greater than (needed) otherwise WARNONONCE. (remainder) must be greater than (needed) otherwise WARNONONCE. (remainder) may be 0 if division is without remainder. offset+2 (4191) > skbheadlen() (1116) WARNING: CPU: 1 PID: 5084 at net/core/dev.c:3303 skbchecksumhelp+0x5e2/0x740 net/core/dev.c:3303 Modules linked in: CPU: 1 PID: 5084 Comm: syz-executor336 Not tainted 6.7.0-rc3-syzkaller-00014-gdf60cee26a2e #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023 RIP: 0010:skbchecksumhelp+0x5e2/0x740 net/core/dev.c:3303 Code: 89 e8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 52 01 00 00 44 89 e2 2b 53 74 4c 89 ee 48 c7 c7 40 57 e9 8b e8 af 8f dd f8 90 <0f> 0b 90 90 e9 87 fe ff ff e8 40 0f 6e f9 e9 4b fa ff ff 48 89 ef RSP: 0018:ffffc90003a9f338 EFLAGS: 00010286 RAX: 0000000000000000 RBX: ffff888025125780 RCX: ffffffff814db209 RDX: ffff888015393b80 RSI: ffffffff814db216 RDI: 0000000000000001 RBP: ffff8880251257f4 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000045c R13: 000000000000105f R14: ffff8880251257f0 R15: 000000000000105d FS: 0000555555c24380(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000002000f000 CR3: 0000000023151000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ipdofragment+0xa1b/0x18b0 net/ipv4/ipoutput.c:777 ipfragment.constprop.0+0x161/0x230 net/ipv4/ipoutput.c:584 ipfinishoutputgso net/ipv4/ipoutput.c:286 [inline] _ipfinishoutput net/ipv4/ipoutput.c:308 [inline] _ipfinishoutput+0x49c/0x650 net/ipv4/ipoutput.c:295 ipfinishoutput+0x31/0x310 net/ipv4/ipoutput.c:323 NFHOOKCOND include/linux/netfilter.h:303 [inline] ipoutput+0x13b/0x2a0 net/ipv4/ipoutput.c:433 dstoutput include/net/dst.h:451 [inline] iplocalout+0xaf/0x1a0 net/ipv4/ipoutput.c:129 iptunnelxmit+0x5b4/0x9b0 net/ipv4/iptunnelcore.c:82 ipip6tunnelxmit net/ipv6/sit.c:1034 [inline] sittunnelxmit+0xed2/0x28f0 net/ipv6/sit.c:1076 _netdevstartxmit include/linux/netdevice.h:4940 [inline] netdevstartxmit include/linux/netdevice.h:4954 [inline] xmitone net/core/dev.c:3545 [inline] devhardstartxmit+0x13d/0x6d0 net/core/dev.c:3561 _devqueuexmit+0x7c1/0x3d60 net/core/dev.c:4346 devqueuexmit include/linux/netdevice.h:3134 [inline] packetxmit+0x257/0x380 net/packet/afpacket.c:276 packetsnd net/packet/afpacket.c:3087 [inline] packetsendmsg+0x24ca/0x5240 net/packet/afpacket.c:3119 socksendmsgnosec net/socket.c:730 [inline] _socksendmsg+0xd5/0x180 net/socket.c:745 _syssendto+0x255/0x340 net/socket.c:2190 _dosyssendto net/socket.c:2202 [inline] _sesyssendto net/socket.c:2198 [inline] _x64syssendto+0xe0/0x1b0 net/socket.c:2198 dosyscallx64 arch/x86/entry/common.c:51 [inline] dosyscall64+0x40/0x110 arch/x86/entry/common.c:82 entrySYSCALL64afterhwframe+0x63/0x6b Found by Linux Verification Center (linuxtesting.org) with Syzkaller