CVE-2026-23143

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> virtio_net: Fix misalignment bug in struct virtnet_info<br /> <br /> Use the new TRAILING_OVERLAP() helper to fix a misalignment bug<br /> along with the following warning:<br /> <br /> drivers/net/virtio_net.c:429:46: warning: structure containing a flexible array member is not at the end of another structure [-Wflex-array-member-not-at-end]<br /> <br /> This helper creates a union between a flexible-array member (FAM)<br /> and a set of members that would otherwise follow it (in this case<br /> `u8 rss_hash_key_data[VIRTIO_NET_RSS_MAX_KEY_SIZE];`). This<br /> overlays the trailing members (rss_hash_key_data) onto the FAM<br /> (hash_key_data) while keeping the FAM and the start of MEMBERS aligned.<br /> The static_assert() ensures this alignment remains.<br /> <br /> Notice that due to tail padding in flexible `struct<br /> virtio_net_rss_config_trailer`, `rss_trailer.hash_key_data`<br /> (at offset 83 in struct virtnet_info) and `rss_hash_key_data` (at<br /> offset 84 in struct virtnet_info) are misaligned by one byte. See<br /> below:<br /> <br /> struct virtio_net_rss_config_trailer {<br /> __le16 max_tx_vq; /* 0 2 */<br /> __u8 hash_key_length; /* 2 1 */<br /> __u8 hash_key_data[]; /* 3 0 */<br /> <br /> /* size: 4, cachelines: 1, members: 3 */<br /> /* padding: 1 */<br /> /* last cacheline: 4 bytes */<br /> };<br /> <br /> struct virtnet_info {<br /> ...<br /> struct virtio_net_rss_config_trailer rss_trailer; /* 80 4 */<br /> <br /> /* XXX last struct has 1 byte of padding */<br /> <br /> u8 rss_hash_key_data[40]; /* 84 40 */<br /> ...<br /> /* size: 832, cachelines: 13, members: 48 */<br /> /* sum members: 801, holes: 8, sum holes: 31 */<br /> /* paddings: 2, sum paddings: 5 */<br /> };<br /> <br /> After changes, those members are correctly aligned at offset 795:<br /> <br /> struct virtnet_info {<br /> ...<br /> union {<br /> struct virtio_net_rss_config_trailer rss_trailer; /* 792 4 */<br /> struct {<br /> unsigned char __offset_to_hash_key_data[3]; /* 792 3 */<br /> u8 rss_hash_key_data[40]; /* 795 40 */<br /> }; /* 792 43 */<br /> }; /* 792 44 */<br /> ...<br /> /* size: 840, cachelines: 14, members: 47 */<br /> /* sum members: 801, holes: 8, sum holes: 35 */<br /> /* padding: 4 */<br /> /* paddings: 1, sum paddings: 4 */<br /> /* last cacheline: 8 bytes */<br /> };<br /> <br /> As a result, the RSS key passed to the device is shifted by 1<br /> byte: the last byte is cut off, and instead a (possibly<br /> uninitialized) byte is added at the beginning.<br /> <br /> As a last note `struct virtio_net_rss_config_hdr *rss_hdr;` is also<br /> moved to the end, since it seems those three members should stick<br /> around together. :)