mirror of
https://github.com/slackhq/nebula.git
synced 2026-05-16 04:47:38 +02:00
2bc200103f
The scatter-gather writev path in WriteGSO triggered a kernel-side use-after-free in tun_chr_write_iter → sock_alloc_send_pskb → skb_set_owner_w on Linux 4.19 TUN when the virtio_net_hdr requested TSO segmentation. The skb write-memory refcount (sk_wmem_alloc) underflowed, producing paired traces of refcount_t: addition on 0 (in the write path) and refcount_t: underflow (in the paired recv socket), reliably rebooting UBIOS UXG-Pro routers under iperf3 -R. Match wireguard-go's design: coalesce the virtio_net_hdr, IP/TCP header, and all payload fragments into a single contiguous per-queue scratch buffer, then emit the superpacket with a single write() syscall. wireguard-go's offload path handles GRO-merged TSO superpackets this way and has no equivalent failure mode (see tun/tun_linux.go Write — it writes bufs[bufsI][offset:] with a single tunFile.Write call after coalesce). Cost: one extra memcpy per superpacket (bounded at ~64KiB by the virtio spec). Unit tests pass (go test ./overlay/tio/...). Field testing on UXG-Pro (4.19) pending.