In the Linux kernel, a vulnerability has been resolved concerning the usage of multi-buffer BPF helpers for Zero-Copy (ZC) eXpress Data Path (XDP). This issue has the potential to cause a null pointer dereference, leading to system crashes or even opening the door for malicious exploits.

The vulnerability, which is tracked as CVE-2024-26611, was previously present in the XDP Sockets (xsk) subsystem and resulted from the __xdp_return() function call, which was passed a NULL xdp_buff argument. This eventually led to an improper xsk_buff_free() call, causing null pointer dereference errors.

An example of the error output has been provided below

[1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034
...
[1136314.492863] bpf_xdp_adjust_tail+x155/x1d
...
[1136314.511263] ice_clean_rx_irq_zc+x206/xc60 [ice]
...

To fix this vulnerability, the Linux kernel developers have introduced new xsk helper functions that correctly manage the removal of frag nodes from the xskb_list in ZC scenarios. These helper functions are then used within bpf_xdp_adjust_tail() to avoid null pointer dereference issues and provide a more robust and secure implementation.

This fix has been included in the latest Linux kernel and can be located in the official Linux repository at the following link:

- xsk: Linux kernel commit

- Linux Kernel Mailing List
- Linux Kernel Bug Tracker

Users and system administrators are advised to update their Linux kernel to the latest version to ensure they are protected from this vulnerability. This should help maintain the reliability and security of Linux-based systems and reduce the risk of potential exploits taking advantage of this issue.

Timeline

Published on: 03/11/2024 18:15:19 UTC
Last modified on: 03/12/2024 12:40:13 UTC