CVE-2024-58099

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame<br /> <br /> Andrew and Nikolay reported connectivity issues with Cilium&amp;#39;s service<br /> load-balancing in case of vmxnet3.<br /> <br /> If a BPF program for native XDP adds an encapsulation header such as<br /> IPIP and transmits the packet out the same interface, then in case<br /> of vmxnet3 a corrupted packet is being sent and subsequently dropped<br /> on the path.<br /> <br /> vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp()<br /> through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:<br /> <br /> page = virt_to_page(xdpf-&gt;data);<br /> tbi-&gt;dma_addr = page_pool_get_dma_addr(page) +<br /> VMXNET3_XDP_HEADROOM;<br /> dma_sync_single_for_device(&amp;adapter-&gt;pdev-&gt;dev,<br /> tbi-&gt;dma_addr, buf_size,<br /> DMA_TO_DEVICE);<br /> <br /> The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP<br /> BPF program could have moved xdp-&gt;data. While the passed buf_size is<br /> correct (xdpf-&gt;len), the dma_addr needs to have a dynamic offset which<br /> can be calculated as xdpf-&gt;data - (void *)xdpf, that is, xdp-&gt;data -<br /> xdp-&gt;data_hard_start.