CVE-2024-26853

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> igc: avoid returning frame twice in XDP_REDIRECT<br /> <br /> When a frame can not be transmitted in XDP_REDIRECT<br /> (e.g. due to a full queue), it is necessary to free<br /> it by calling xdp_return_frame_rx_napi.<br /> <br /> However, this is the responsibility of the caller of<br /> the ndo_xdp_xmit (see for example bq_xmit_all in<br /> kernel/bpf/devmap.c) and thus calling it inside<br /> igc_xdp_xmit (which is the ndo_xdp_xmit of the igc<br /> driver) as well will lead to memory corruption.<br /> <br /> In fact, bq_xmit_all expects that it can return all<br /> frames after the last successfully transmitted one.<br /> Therefore, break for the first not transmitted frame,<br /> but do not call xdp_return_frame_rx_napi in igc_xdp_xmit.<br /> This is equally implemented in other Intel drivers<br /> such as the igb.<br /> <br /> There are two alternatives to this that were rejected:<br /> 1. Return num_frames as all the frames would have been<br /> transmitted and release them inside igc_xdp_xmit.<br /> While it might work technically, it is not what<br /> the return value is meant to represent (i.e. the<br /> number of SUCCESSFULLY transmitted packets).<br /> 2. Rework kernel/bpf/devmap.c and all drivers to<br /> support non-consecutively dropped packets.<br /> Besides being complex, it likely has a negative<br /> performance impact without a significant gain<br /> since it is anyway unlikely that the next frame<br /> can be transmitted if the previous one was dropped.<br /> <br /> The memory corruption can be reproduced with<br /> the following script which leads to a kernel panic<br /> after a few seconds. It basically generates more<br /> traffic than a i225 NIC can transmit and pushes it<br /> via XDP_REDIRECT from a virtual interface to the<br /> physical interface where frames get dropped.<br /> <br /> #!/bin/bash<br /> INTERFACE=enp4s0<br /> INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`<br /> <br /> sudo ip link add dev veth1 type veth peer name veth2<br /> sudo ip link set up $INTERFACE<br /> sudo ip link set up veth1<br /> sudo ip link set up veth2<br /> <br /> cat