CVE-2024-26611

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26611
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26611.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26611
Downstream
Related
Published
2024-02-29T15:52:16Z
Modified
2025-10-15T09:01:42.376287Z
Summary
xsk: fix usage of multi-buffer BPF helpers for ZC XDP
Details

In the Linux kernel, the following vulnerability has been resolved:

xsk: fix usage of multi-buffer BPF helpers for ZC XDP

Currently when packet is shrunk via bpfxdpadjusttail() and memory type is set to MEMTYPEXSKBUFF_POOL, null ptr dereference happens:

[1136314.192256] BUG: kernel NULL pointer dereference, address: 0000000000000034 [1136314.203943] #PF: supervisor read access in kernel mode [1136314.213768] #PF: errorcode(0x0000) - not-present page [1136314.223550] PGD 0 P4D 0 [1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257 [1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019 [1136314.265615] RIP: 0010:xdpreturn+0x6c/0x210 [1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246 [1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc9003168c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12: 0000000000000001 [1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Call Trace: [1136314.446058] <IRQ> [1136314.452465] ? _die+0x20/0x70 [1136314.459881] ? pagefaultoops+0x15b/0x440 [1136314.468305] ? excpagefault+0x6a/0x150 [1136314.476491] ? asmexcpagefault+0x22/0x30 [1136314.484927] ? _xdpreturn+0x6c/0x210 [1136314.492863] bpfxdpadjusttail+0x155/0x1d0 [1136314.501269] bpfprogccc47ae29d3b6570xdpsockprog+0x15/0x60 [1136314.511263] icecleanrxirqzc+0x206/0xc60 [ice] [1136314.520222] ? icexmitzc+0x6e/0x150 [ice] [1136314.528506] icenapipoll+0x467/0x670 [ice] [1136314.536858] ? ttwudoactivate.constprop.0+0x8f/0x1a0 [1136314.546010] _napipoll+0x29/0x1b0 [1136314.553462] netrxaction+0x133/0x270 [1136314.561619] _dosoftirq+0xbe/0x28e [1136314.569303] do_softirq+0x3f/0x60

This comes from _xdpreturn() call with xdpbuff argument passed as NULL which is supposed to be consumed by xskbuff_free() call.

To address this properly, in ZC case, a node that represents the frag being removed has to be pulled out of xskblist. Introduce appropriate xsk helpers to do such node operation and use them accordingly within bpfxdpadjusttail().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
24ea50127ecf0efe819c1f6230add27abc6ca9d9
Fixed
82ee4781b8200e44669a354140d5c6bd966b8768
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
24ea50127ecf0efe819c1f6230add27abc6ca9d9
Fixed
5cd781f7216f980207af09c5e0e1bb1eda284540
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
24ea50127ecf0efe819c1f6230add27abc6ca9d9
Fixed
c5114710c8ce86b8317e9b448f4fd15c711c2a82

Affected versions

v6.*

v6.5
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.2

Database specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "line_hashes": [
                    "132313891425361202821052136797276503721",
                    "134172752067975135317254813952865620208",
                    "309764190184423438086618261118561152237",
                    "238505349663098690621938031171245607044",
                    "44429214641580173834001666842632920311",
                    "220543714961429598608497148939734313689"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "include/net/xdp_sock_drv.h"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@82ee4781b8200e44669a354140d5c6bd966b8768",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-10fec659"
        },
        {
            "digest": {
                "line_hashes": [
                    "7962498048473631134745671421223850259",
                    "235064892964547134828350932513585462835",
                    "64680679371620635650708007496289336977",
                    "175370106935804072249973542684566011016",
                    "313948808182512398373616890480441221372",
                    "322038726176632557357200943824083400479",
                    "185233605415275920602072392538895773508",
                    "66215214803916732064666457124722744283",
                    "257084420875478111580861027724801823276",
                    "325496827125460706035464889049578113624",
                    "63677771709195602204797192556000606365",
                    "269542405460259408988293232861062890763",
                    "247384618684383732123762111518663980435",
                    "185211942181192419490829226271261351663"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "net/core/filter.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cd781f7216f980207af09c5e0e1bb1eda284540",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-28358083"
        },
        {
            "digest": {
                "length": 757.0,
                "function_hash": "240168389227369167654570434233872731188"
            },
            "target": {
                "function": "bpf_xdp_frags_shrink_tail",
                "file": "net/core/filter.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@82ee4781b8200e44669a354140d5c6bd966b8768",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-42e0da4b"
        },
        {
            "digest": {
                "line_hashes": [
                    "132313891425361202821052136797276503721",
                    "134172752067975135317254813952865620208",
                    "309764190184423438086618261118561152237",
                    "238505349663098690621938031171245607044",
                    "44429214641580173834001666842632920311",
                    "220543714961429598608497148939734313689"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "include/net/xdp_sock_drv.h"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cd781f7216f980207af09c5e0e1bb1eda284540",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-5ba49667"
        },
        {
            "digest": {
                "line_hashes": [
                    "306244951537504484490025763063040813887",
                    "139121940509330083152411905077528447557",
                    "131464477942522705736568141455671716206",
                    "113732146194980763913208668844298701645",
                    "313948808182512398373616890480441221372",
                    "322038726176632557357200943824083400479",
                    "185233605415275920602072392538895773508",
                    "66215214803916732064666457124722744283",
                    "257084420875478111580861027724801823276",
                    "325496827125460706035464889049578113624",
                    "63677771709195602204797192556000606365",
                    "269542405460259408988293232861062890763",
                    "247384618684383732123762111518663980435",
                    "185211942181192419490829226271261351663"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "net/core/filter.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@82ee4781b8200e44669a354140d5c6bd966b8768",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-94475e00"
        },
        {
            "digest": {
                "line_hashes": [
                    "132313891425361202821052136797276503721",
                    "134172752067975135317254813952865620208",
                    "309764190184423438086618261118561152237",
                    "238505349663098690621938031171245607044",
                    "44429214641580173834001666842632920311",
                    "220543714961429598608497148939734313689"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "include/net/xdp_sock_drv.h"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c5114710c8ce86b8317e9b448f4fd15c711c2a82",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-96bad67f"
        },
        {
            "digest": {
                "length": 757.0,
                "function_hash": "240168389227369167654570434233872731188"
            },
            "target": {
                "function": "bpf_xdp_frags_shrink_tail",
                "file": "net/core/filter.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5cd781f7216f980207af09c5e0e1bb1eda284540",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-b109b967"
        },
        {
            "digest": {
                "line_hashes": [
                    "7962498048473631134745671421223850259",
                    "235064892964547134828350932513585462835",
                    "64680679371620635650708007496289336977",
                    "175370106935804072249973542684566011016",
                    "313948808182512398373616890480441221372",
                    "322038726176632557357200943824083400479",
                    "185233605415275920602072392538895773508",
                    "66215214803916732064666457124722744283",
                    "257084420875478111580861027724801823276",
                    "325496827125460706035464889049578113624",
                    "63677771709195602204797192556000606365",
                    "269542405460259408988293232861062890763",
                    "247384618684383732123762111518663980435",
                    "185211942181192419490829226271261351663"
                ],
                "threshold": 0.9
            },
            "target": {
                "file": "net/core/filter.c"
            },
            "signature_type": "Line",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c5114710c8ce86b8317e9b448f4fd15c711c2a82",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-c049c966"
        },
        {
            "digest": {
                "length": 757.0,
                "function_hash": "240168389227369167654570434233872731188"
            },
            "target": {
                "function": "bpf_xdp_frags_shrink_tail",
                "file": "net/core/filter.c"
            },
            "signature_type": "Function",
            "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c5114710c8ce86b8317e9b448f4fd15c711c2a82",
            "deprecated": false,
            "signature_version": "v1",
            "id": "CVE-2024-26611-c507989d"
        }
    ]
}

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.15
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.3