In June 2024, a critical vulnerability was addressed in the Linux kernel’s pktgen module. This vulnerability, CVE-2025-21680, allowed potential out-of-bounds memory access due to improper bounds checking in the get_imix_entries function. If you work with high-speed packet generation or kernel network testing tools, understanding this bug is essential.
What is pktgen?
pktgen is a built-in Linux kernel module used for generating network packets at extremely high rates, commonly for network device testing and benchmarking.
One advanced feature of pktgen is IMIX support, which lets users specify a sequence of packet sizes (IMIX entries) to mimic real-world Internet traffic mixes.
Details of the Vulnerability
The Linux kernel (prior to 6.10.-rc1) failed to correctly check the boundaries in the get_imix_entries function. When a user provided more IMIX entries than the internal array could hold (20 entries max), the code would access memory out-of-bounds, leading to undefined behavior or even a crash.
Error log
UBSAN: array-index-out-of-bounds in net/core/pktgen.c:874:24
index 20 is out of range for type 'imix_pkt [20]'
CPU: 2 PID: 121 Comm: bash Not tainted 6.10.-rc1 #121
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
Call Trace:
<TASK>
dump_stack_lvl lib/dump_stack.c:117
__ubsan_handle_out_of_bounds lib/ubsan.c:429
get_imix_entries net/core/pktgen.c:874
pktgen_if_write net/core/pktgen.c:1063
...
Discovered by:
Linux Verification Center (linuxtesting.org) with SVACE.
Here’s a simplified version of what the problematic code looked like
#define MAX_IMIX_ENTRIES 20
struct pktgen_dev {
struct imix_pkt imix_entries[MAX_IMIX_ENTRIES];
int imix_entries_cur;
};
/* ... */
static int get_imix_entries(struct pktgen_dev *pkt_dev, char *buf, int entries)
{
int i;
pkt_dev->imix_entries_cur = entries;
for (i = ; i < entries; i++) {
/* Missing check: i could be >= MAX_IMIX_ENTRIES! */
pkt_dev->imix_entries[i] = parse_imix_pkt(buf);
/* ... */
}
}
If a user specifies, say, 25 IMIX entries using procfs, the loop will try to access beyond imix_entries[19]— causing an out-of-bounds access.
The fix is to ensure that no more than MAX_IMIX_ENTRIES (20) entries are written
if (entries > MAX_IMIX_ENTRIES)
entries = MAX_IMIX_ENTRIES; // Clamp to max size
pkt_dev->imix_entries_cur = entries;
for (i = ; i < entries; i++) {
pkt_dev->imix_entries[i] = parse_imix_pkt(buf);
}
Is this easily exploitable?
- Local crash: Anyone with access to /proc/net/pktgen/* could crash the system by supplying too many IMIX entries.
- Privilege escalation: While undefined behavior is unpredictable, attackers could potentially exploit this to leak memory or manipulate kernel state if other bugs align.
Suppose you have a running pktgen setup, you could trigger the bug like this
# Write 30 imix entries (overflows the array)
echo "imix 30 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100 100" > /proc/net/pktgen/eth
This would trigger the OOB bug (assuming you have sufficient permission), instantly crashing or destabilizing the kernel.
Fix Status and Patch Info
This bug is fixed in Linux kernel version 6.10.-rc1 and later. All major distributions will backport this patch as necessary.
Patch:
Patch summary: Properly clamps the number of IMIX entries to array size.
If you rely on pktgen, it’s essential to update your kernel and avoid untrusted access to the control procfs.
References
- Linux Verification Center Advisory
- SVACE Automated Analysis
- Upstream Linux Kernel Patch
- pktgen Kernel Documentation
- CVE MITRE entry *(placeholder, will be live soon)*
Conclusion
CVE-2025-21680 is a good reminder that simple mistakes in kernel boundary checking can lead to system crashes and a lot worse. The fix is straightforward: don’t allow userspace to overflow kernel arrays. If you use or deploy pktgen, patch now, and remember to treat all kernel input boundaries with suspicion.
If you found this write-up useful, consider sharing it—threat awareness benefits everyone in the Linux community.
Timeline
Published on: 01/31/2025 12:15:29 UTC
Last modified on: 02/04/2025 15:28:08 UTC