Can you explain this vulnerability to me?

This vulnerability exists in the Linux kernel's ice driver related to the XDP (eXpress Data Path) RxQ frag_size field. The frag_size was incorrectly set from the DMA write length instead of the full buffer size (xdp.frame_sz). This mismatch causes negative tailroom due to different assumptions in the driver configuration.

Specifically, the function bpf_xdp_frags_increase_tail() expects the whole buffer size, but the ice driver provided only the DMA write size, leading to errors.

This flaw can trigger a kernel panic when using the XDP_ADJUST_TAIL_GROW_MULTI_BUFF xskxceiver test with certain large packet sizes and offsets.

The vulnerability was fixed by changing the frag_size to use the fill queue buffer truesize instead of the DMA write size, and also fixing the zero-copy (ZC) mode accordingly.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been resolved by changing the XDP RxQ frag_size from DMA write length to xdp.frame_sz in the ice driver of the Linux kernel.

Immediate mitigation involves updating the Linux kernel to a version that includes this fix, which uses the fill queue buffer truesize instead of DMA write size in XDP RxQ info and fixes the zero-copy (ZC) mode by using the new helper.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause a kernel panic, which is a system crash in the Linux kernel.

A kernel panic can lead to denial of service by crashing the system unexpectedly, potentially causing downtime and loss of availability.

The panic can be triggered by specific network packet sizes and offsets when using XDP features, which may be exploited in certain network environments.

Useful 0 Not Useful 0