In the Linux kernel, the following vulnerability has been resolved:
net: veth: clear GRO when clearing XDP even when down
veth sets NETIFFGRO automatically when XDP is enabled, because both features use the same NAPI machinery.
The logic to clear NETIFFGRO sits in vethdisablexdp() which is called both on ndostop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFFUP is not set. Bringing the device down should indeed not modify its features.
Unfortunately, this means that clearing is also skipped when XDP is disabled while the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances.
We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer.
Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndoopen / ndoclose paths.
{ "vanir_signatures": [ { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_enable_xdp" }, "id": "CVE-2024-26803-004d8b68", "digest": { "length": 739.0, "function_hash": "278267699030901204360273416657664988511" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16edf51f33f52dff70ed455bc40a6cc443c04664" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_enable_xdp" }, "id": "CVE-2024-26803-12a692ab", "digest": { "length": 739.0, "function_hash": "278267699030901204360273416657664988511" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9f801355f0b47668419f30f1fac1cf4539e736" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_disable_xdp" }, "id": "CVE-2024-26803-1532b608", "digest": { "length": 453.0, "function_hash": "213517101354622100302065379665064387427" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_xdp_set" }, "id": "CVE-2024-26803-1adf937f", "digest": { "length": 1424.0, "function_hash": "87767558958580101862792064065156645355" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f7a3894e58e6f5d5815533cfde60e3838947941" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_xdp_set" }, "id": "CVE-2024-26803-1f5bacc1", "digest": { "length": 1424.0, "function_hash": "87767558958580101862792064065156645355" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9f801355f0b47668419f30f1fac1cf4539e736" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_xdp_set" }, "id": "CVE-2024-26803-4dade8e9", "digest": { "length": 1291.0, "function_hash": "224809860395258597066987742431458591380" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f011c103e654d83dc85f057a7d1bd0960d02831c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_disable_xdp" }, "id": "CVE-2024-26803-4ec6e86e", "digest": { "length": 453.0, "function_hash": "213517101354622100302065379665064387427" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f011c103e654d83dc85f057a7d1bd0960d02831c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_enable_xdp" }, "id": "CVE-2024-26803-50233cb9", "digest": { "length": 739.0, "function_hash": "278267699030901204360273416657664988511" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/veth.c" }, "id": "CVE-2024-26803-5f4c10ca", "digest": { "line_hashes": [ "51600521298343918692076812511963295247", "228927025547975638735029491396071494088", "188251477361409911622229848895383964764", "33452757896745488551179731991401472917", "205777859805371827651574283584077801281", "155193743157180343259231763003304890385", "243908417462048862604911173789816653457", "36686103015714214723838480004605014622", "20848688118658051035010770106989672937", "110801145821806668207820538878277560258", "163110444997990614731861559455110605926", "132196368406772409981002340256950680850", "22978356902576825124258048314280784142", "243414821059066217318054239778306753862", "153915271038379034284603560285869484189", "80194275435019102031408448711991564417", "140576295379162485109042286239197101685", "188857975190572885728574168155141540884", "114829558794022398098847952273374068989", "123066228907334175661141875057757568237", "202795856178504132488371500305852226935", "127080162348608263197356407646751819311", "197095297622269075945891798834460169221", "154813996759324975009894625930509795260" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9f801355f0b47668419f30f1fac1cf4539e736" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/veth.c" }, "id": "CVE-2024-26803-682dda38", "digest": { "line_hashes": [ "51600521298343918692076812511963295247", "228927025547975638735029491396071494088", "188251477361409911622229848895383964764", "33452757896745488551179731991401472917", "205777859805371827651574283584077801281", "155193743157180343259231763003304890385", "243908417462048862604911173789816653457", "36686103015714214723838480004605014622", "20848688118658051035010770106989672937", "110801145821806668207820538878277560258", "163110444997990614731861559455110605926", "132196368406772409981002340256950680850", "22978356902576825124258048314280784142", "243414821059066217318054239778306753862", "153915271038379034284603560285869484189", "80194275435019102031408448711991564417", "140576295379162485109042286239197101685", "188857975190572885728574168155141540884", "114829558794022398098847952273374068989", "123066228907334175661141875057757568237", "202795856178504132488371500305852226935", "127080162348608263197356407646751819311", "197095297622269075945891798834460169221", "154813996759324975009894625930509795260" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16edf51f33f52dff70ed455bc40a6cc443c04664" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/veth.c" }, "id": "CVE-2024-26803-79ba7a73", "digest": { "line_hashes": [ "51600521298343918692076812511963295247", "228927025547975638735029491396071494088", "188251477361409911622229848895383964764", "33452757896745488551179731991401472917", "205777859805371827651574283584077801281", "155193743157180343259231763003304890385", "243908417462048862604911173789816653457", "36686103015714214723838480004605014622", "20848688118658051035010770106989672937", "110801145821806668207820538878277560258", "163110444997990614731861559455110605926", "132196368406772409981002340256950680850", "22978356902576825124258048314280784142", "243414821059066217318054239778306753862", "153915271038379034284603560285869484189", "80194275435019102031408448711991564417", "140576295379162485109042286239197101685", "188857975190572885728574168155141540884", "114829558794022398098847952273374068989", "123066228907334175661141875057757568237", "202795856178504132488371500305852226935", "319297122639220144204126051273652870784", "197095297622269075945891798834460169221", "154813996759324975009894625930509795260" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_disable_xdp" }, "id": "CVE-2024-26803-9ab62771", "digest": { "length": 453.0, "function_hash": "213517101354622100302065379665064387427" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fe9f801355f0b47668419f30f1fac1cf4539e736" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_disable_xdp" }, "id": "CVE-2024-26803-afca18bd", "digest": { "length": 453.0, "function_hash": "213517101354622100302065379665064387427" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16edf51f33f52dff70ed455bc40a6cc443c04664" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/veth.c" }, "id": "CVE-2024-26803-b01c6271", "digest": { "line_hashes": [ "51600521298343918692076812511963295247", "228927025547975638735029491396071494088", "188251477361409911622229848895383964764", "33452757896745488551179731991401472917", "205777859805371827651574283584077801281", "155193743157180343259231763003304890385", "243908417462048862604911173789816653457", "36686103015714214723838480004605014622", "20848688118658051035010770106989672937", "110801145821806668207820538878277560258", "163110444997990614731861559455110605926", "132196368406772409981002340256950680850", "22978356902576825124258048314280784142", "243414821059066217318054239778306753862", "153915271038379034284603560285869484189", "80194275435019102031408448711991564417", "140576295379162485109042286239197101685", "188857975190572885728574168155141540884", "114829558794022398098847952273374068989", "123066228907334175661141875057757568237", "202795856178504132488371500305852226935", "319297122639220144204126051273652870784", "197095297622269075945891798834460169221", "154813996759324975009894625930509795260" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f011c103e654d83dc85f057a7d1bd0960d02831c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_enable_xdp" }, "id": "CVE-2024-26803-bfa99e24", "digest": { "length": 739.0, "function_hash": "278267699030901204360273416657664988511" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f7a3894e58e6f5d5815533cfde60e3838947941" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_enable_xdp" }, "id": "CVE-2024-26803-c0ed85cf", "digest": { "length": 739.0, "function_hash": "278267699030901204360273416657664988511" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f011c103e654d83dc85f057a7d1bd0960d02831c" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_xdp_set" }, "id": "CVE-2024-26803-c38b8302", "digest": { "length": 1344.0, "function_hash": "286025677818980656058542677129371759962" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@7985d73961bbb4e726c1be7b9cd26becc7be8325" }, { "deprecated": false, "signature_type": "Line", "target": { "file": "drivers/net/veth.c" }, "id": "CVE-2024-26803-dd42bb66", "digest": { "line_hashes": [ "51600521298343918692076812511963295247", "228927025547975638735029491396071494088", "188251477361409911622229848895383964764", "33452757896745488551179731991401472917", "205777859805371827651574283584077801281", "155193743157180343259231763003304890385", "243908417462048862604911173789816653457", "36686103015714214723838480004605014622", "20848688118658051035010770106989672937", "110801145821806668207820538878277560258", "163110444997990614731861559455110605926", "132196368406772409981002340256950680850", "22978356902576825124258048314280784142", "243414821059066217318054239778306753862", "153915271038379034284603560285869484189", "80194275435019102031408448711991564417", "140576295379162485109042286239197101685", "188857975190572885728574168155141540884", "114829558794022398098847952273374068989", "123066228907334175661141875057757568237", "202795856178504132488371500305852226935", "127080162348608263197356407646751819311", "197095297622269075945891798834460169221", "154813996759324975009894625930509795260" ], "threshold": 0.9 }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f7a3894e58e6f5d5815533cfde60e3838947941" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_disable_xdp" }, "id": "CVE-2024-26803-e4f39404", "digest": { "length": 453.0, "function_hash": "213517101354622100302065379665064387427" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f7a3894e58e6f5d5815533cfde60e3838947941" }, { "deprecated": false, "signature_type": "Function", "target": { "file": "drivers/net/veth.c", "function": "veth_xdp_set" }, "id": "CVE-2024-26803-e59c5c26", "digest": { "length": 1424.0, "function_hash": "87767558958580101862792064065156645355" }, "signature_version": "v1", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@16edf51f33f52dff70ed455bc40a6cc443c04664" } ] }