CVE-2024-26853

{"id": "CVE-2024-26853", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-04-17T11:15:08.583", "references": [{"url": "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1b3b8231386a572bac8cd5b6fd7e944b84f9bb1f", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/63a3c1f3c9ecc654d851e7906d05334cd0c236e2", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8df393af9e7e8dfd62e9c41dbaa4d2ff53bf794a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/ef27f655b438bed4c83680e4f01e1cde2739854b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-787"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: avoid returning frame twice in XDP_REDIRECT\n\nWhen a frame can not be transmitted in XDP_REDIRECT\n(e.g. due to a full queue), it is necessary to free\nit by calling xdp_return_frame_rx_napi.\n\nHowever, this is the responsibility of the caller of\nthe ndo_xdp_xmit (see for example bq_xmit_all in\nkernel/bpf/devmap.c) and thus calling it inside\nigc_xdp_xmit (which is the ndo_xdp_xmit of the igc\ndriver) as well will lead to memory corruption.\n\nIn fact, bq_xmit_all expects that it can return all\nframes after the last successfully transmitted one.\nTherefore, break for the first not transmitted frame,\nbut do not call xdp_return_frame_rx_napi in igc_xdp_xmit.\nThis is equally implemented in other Intel drivers\nsuch as the igb.\n\nThere are two alternatives to this that were rejected:\n1. Return num_frames as all the frames would have been\n transmitted and release them inside igc_xdp_xmit.\n While it might work technically, it is not what\n the return value is meant to represent (i.e. the\n number of SUCCESSFULLY transmitted packets).\n2. Rework kernel/bpf/devmap.c and all drivers to\n support non-consecutively dropped packets.\n Besides being complex, it likely has a negative\n performance impact without a significant gain\n since it is anyway unlikely that the next frame\n can be transmitted if the previous one was dropped.\n\nThe memory corruption can be reproduced with\nthe following script which leads to a kernel panic\nafter a few seconds. It basically generates more\ntraffic than a i225 NIC can transmit and pushes it\nvia XDP_REDIRECT from a virtual interface to the\nphysical interface where frames get dropped.\n\n #!/bin/bash\n INTERFACE=enp4s0\n INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex`\n\n sudo ip link add dev veth1 type veth peer name veth2\n sudo ip link set up $INTERFACE\n sudo ip link set up veth1\n sudo ip link set up veth2\n\n cat << EOF > redirect.bpf.c\n\n SEC(\"prog\")\n int redirect(struct xdp_md *ctx)\n {\n return bpf_redirect($INTERFACE_IDX, 0);\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c redirect.bpf.c -o redirect.bpf.o\n sudo ip link set veth2 xdp obj redirect.bpf.o\n\n cat << EOF > pass.bpf.c\n\n SEC(\"prog\")\n int pass(struct xdp_md *ctx)\n {\n return XDP_PASS;\n }\n\n char _license[] SEC(\"license\") = \"GPL\";\n EOF\n clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o\n sudo ip link set $INTERFACE xdp obj pass.bpf.o\n\n cat << EOF > trafgen.cfg\n\n {\n /* Ethernet Header */\n 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46,\n 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,\n const16(ETH_P_IP),\n\n /* IPv4 Header */\n 0b01000101, 0, # IPv4 version, IHL, TOS\n const16(1028), # IPv4 total length (UDP length + 20 bytes (IP header))\n const16(2), # IPv4 ident\n 0b01000000, 0, # IPv4 flags, fragmentation off\n 64, # IPv4 TTL\n 17, # Protocol UDP\n csumip(14, 33), # IPv4 checksum\n\n /* UDP Header */\n 10, 0, 1, 1, # IP Src - adapt as needed\n 10, 0, 1, 2, # IP Dest - adapt as needed\n const16(6666), # UDP Src Port\n const16(6666), # UDP Dest Port\n const16(1008), # UDP length (UDP header 8 bytes + payload length)\n csumudp(14, 34), # UDP checksum\n\n /* Payload */\n fill('W', 1000),\n }\n EOF\n\n sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp"}, {"lang": "es", "value": "En el kernel de Linux se ha resuelto la siguiente vulnerabilidad: igc: evita devolver la trama dos veces en XDP_REDIRECT Cuando una trama no se puede transmitir en XDP_REDIRECT (por ejemplo, debido a una cola llena), es necesario liberarla llamando a xdp_return_frame_rx_napi. Sin embargo, esto es responsabilidad de quien llama a ndo_xdp_xmit (ver, por ejemplo, bq_xmit_all en kernel/bpf/devmap.c) y, por lo tanto, llamarlo dentro de igc_xdp_xmit (que es el ndo_xdp_xmit del controlador igc) tambi\u00e9n provocar\u00e1 da\u00f1os en la memoria. De hecho, bq_xmit_all espera poder devolver todas las tramas despu\u00e9s de la \u00faltima transmitida con \u00e9xito. Por lo tanto, interrumpa el primer cuadro no transmitido, pero no llame a xdp_return_frame_rx_napi en igc_xdp_xmit. Esto se implementa igualmente en otros controladores Intel como el igb. Hay dos alternativas a esto que fueron rechazadas: 1. Devolver num_frames ya que se habr\u00edan transmitido todas las tramas y liberarlas dentro de igc_xdp_xmit. Si bien podr\u00eda funcionar t\u00e9cnicamente, no es lo que debe representar el valor de retorno (es decir, el n\u00famero de paquetes transmitidos CON \u00c9XITO). 2. Vuelva a trabajar kernel/bpf/devmap.c y todos los controladores para admitir paquetes descartados no consecutivos. Adem\u00e1s de ser complejo, es probable que tenga un impacto negativo en el rendimiento sin una ganancia significativa, ya que de todos modos es poco probable que se pueda transmitir la siguiente trama si se elimin\u00f3 la anterior. La corrupci\u00f3n de la memoria se puede reproducir con el siguiente script, lo que provoca un p\u00e1nico en el kernel despu\u00e9s de unos segundos. B\u00e1sicamente, genera m\u00e1s tr\u00e1fico del que puede transmitir una NIC i225 y lo env\u00eda a trav\u00e9s de XDP_REDIRECT desde una interfaz virtual a la interfaz f\u00edsica donde se eliminan las tramas. #!/bin/bash INTERFACE=enp4s0 INTERFACE_IDX=`cat /sys/class/net/$INTERFACE/ifindex` sudo ip link agregar dev veth1 tipo veth nombre del par veth2 sudo ip link set up $INTERFACE sudo ip link set up veth1 sudo enlace ip configurado veth2 cat &lt;&lt; EOF &gt; redirecci\u00f3n.bpf.c SEC(\"prog\") int redirecci\u00f3n(struct xdp_md *ctx) { return bpf_redirect($INTERFACE_IDX, 0); } char _license[] SEC(\"licencia\") = \"GPL\"; EOF clang -O2 -g -Wall -target bpf -c redirecci\u00f3n.bpf.c -o redirecci\u00f3n.bpf.o sudo ip link set veth2 xdp obj redirecci\u00f3n.bpf.o cat &lt;&lt; EOF &gt; pass.bpf.c SEC(\" prog\") int pass(struct xdp_md *ctx) { return XDP_PASS; } char _license[] SEC(\"licencia\") = \"GPL\"; EOF clang -O2 -g -Wall -target bpf -c pass.bpf.c -o pass.bpf.o sudo ip link set $INTERFACE xdp obj pass.bpf.o cat &lt;&lt; EOF &gt; trafgen.cfg { /* Ethernet Encabezado */ 0xe8, 0x6a, 0x64, 0x41, 0xbf, 0x46, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, const16(ETH_P_IP), /* Encabezado IPv4 */ 0b01000101, 0, # Versi\u00f3n IPv4, IHL, TOS const16 (1028), # Longitud total de IPv4 (longitud UDP + 20 bytes (encabezado IP)) const16(2), # Identificador de IPv4 0b01000000, 0, # Banderas de IPv4, fragmentaci\u00f3n desactivada 64, # IPv4 TTL 17, # Protocolo UDP csumip(14 , 33), # Suma de comprobaci\u00f3n IPv4 /* Encabezado UDP */ 10, 0, 1, 1, # IP Src - adaptar seg\u00fan sea necesario 10, 0, 1, 2, # IP Dest - adaptar seg\u00fan sea necesario const16(6666), # UDP Puerto Src const16(6666), # Puerto de destino UDP const16(1008), # Longitud UDP (encabezado UDP 8 bytes + longitud de carga \u00fatil) csumudp(14, 34), # Suma de comprobaci\u00f3n UDP /* Carga \u00fatil */ fill('W', 1000 ), } EOF sudo trafgen -i trafgen.cfg -b3000MB -o veth1 --cpp"}], "lastModified": "2025-04-02T13:17:04.977", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E24D6448-E428-4A1A-8C36-D64480820106", "versionEndExcluding": "6.1.82", "versionStartIncluding": "5.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AC6FD6F8-5B16-4F53-8116-D42F4BF4FBAC", "versionEndExcluding": "6.6.22", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB4549F9-0160-455F-8CDC-98D38AEF6D66", "versionEndExcluding": "6.7.10", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62075ACE-B2A0-4B16-829D-B3DA5AE5CC41"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A780F817-2A77-4130-A9B7-5C25606314E3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEB9199B-AB8F-4877-8964-E2BA95B5F15C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}