{
  "claim_outcome": "confirmed",
  "claim_block_reason": null,
  "repro_result": "confirmed",
  "validated_surface": "local_only",
  "evidence_scope": "production_path",
  "claimed_impact_class": "dos",
  "observed_impact_class": "dos",
  "exploitability_confidence": "high",
  "attacker_controlled_input": "enslave a non-Ethernet GRE tunnel to an active-backup bond (bond_setup_by_slave copies ipgre_header_ops onto the bond) so that dev_hard_header(bond) calls ipgre_header(bond) with netdev_priv(bond)=struct bonding reinterpreted as struct ip_tunnel; populate the confused ip_tunnel.hlen field with a sign-bit-set value (0x961a63cc, as in the reporter's layout); send an AF_PACKET SOCK_DGRAM packet on the bond",
  "trigger_path": "ip link add gre1 type gre local 10.0.0.1; ip link add bond1 type bond mode active-backup; ip link set gre1 master bond1 (bond_setup_by_slave: bond_dev->header_ops=slave_dev->header_ops=ipgre_header_ops); insmod populate_hlen.ko (writes 0x961a63cc to netdev_priv(bond1)+offsetof(struct ip_tunnel,hlen)); AF_PACKET SOCK_DGRAM sendto on bond1 -> packet_sendmsg -> packet_snd -> dev_hard_header(bond1) -> ipgre_header(bond1) [t=netdev_priv(bond)=struct bonding read as struct ip_tunnel; t->hlen=0x961a63cc] -> needed=t->hlen+20 overflows to negative int -> skb_headroom(skb)<needed (unsigned) true -> pskb_expand_head(skb, HH_DATA_ALIGN(needed-headroom), 0, GFP_ATOMIC) with nhead<0 -> BUG_ON(nhead<0) -> kernel panic (DoS)",
  "end_to_end_target_reached": true,
  "sanitizer_used": false,
  "crash_observed": true,
  "read_write_primitive_observed": false,
  "exploit_chain_demonstrated": false,
  "blocking_mitigation": null,
  "inferred": false
}
