{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-26611", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.130Z", "datePublished": "2024-02-29T15:52:16.405Z", "dateUpdated": "2025-05-04T08:52:17.425Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:52:17.425Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix usage of multi-buffer BPF helpers for ZC XDP\n\nCurrently when packet is shrunk via bpf_xdp_adjust_tail() and memory\ntype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:\n\n[1136314.192256] BUG: kernel NULL pointer dereference, address:\n0000000000000034\n[1136314.203943] #PF: supervisor read access in kernel mode\n[1136314.213768] #PF: error_code(0x0000) - not-present page\n[1136314.223550] PGD 0 P4D 0\n[1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257\n[1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,\nBIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210\n[1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86\n[1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246\n[1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:\n0000000000000000\n[1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:\nffffc9003168c000\n[1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:\n0000000000010000\n[1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:\n0000000000000001\n[1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:\n0000000000000001\n[1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)\nknlGS:0000000000000000\n[1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:\n00000000007706f0\n[1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1136314.431890] PKRU: 55555554\n[1136314.439143] Call Trace:\n[1136314.446058] <IRQ>\n[1136314.452465] ? __die+0x20/0x70\n[1136314.459881] ? page_fault_oops+0x15b/0x440\n[1136314.468305] ? exc_page_fault+0x6a/0x150\n[1136314.476491] ? asm_exc_page_fault+0x22/0x30\n[1136314.484927] ? __xdp_return+0x6c/0x210\n[1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0\n[1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60\n[1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]\n[1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]\n[1136314.528506] ice_napi_poll+0x467/0x670 [ice]\n[1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0\n[1136314.546010] __napi_poll+0x29/0x1b0\n[1136314.553462] net_rx_action+0x133/0x270\n[1136314.561619] __do_softirq+0xbe/0x28e\n[1136314.569303] do_softirq+0x3f/0x60\n\nThis comes from __xdp_return() call with xdp_buff argument passed as\nNULL which is supposed to be consumed by xsk_buff_free() call.\n\nTo address this properly, in ZC case, a node that represents the frag\nbeing removed has to be pulled out of xskb_list. Introduce\nappropriate xsk helpers to do such node operation and use them\naccordingly within bpf_xdp_adjust_tail()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/core/filter.c"], "versions": [{"version": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "lessThan": "82ee4781b8200e44669a354140d5c6bd966b8768", "status": "affected", "versionType": "git"}, {"version": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "lessThan": "5cd781f7216f980207af09c5e0e1bb1eda284540", "status": "affected", "versionType": "git"}, {"version": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "lessThan": "c5114710c8ce86b8317e9b448f4fd15c711c2a82", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["include/net/xdp_sock_drv.h", "net/core/filter.c"], "versions": [{"version": "6.6", "status": "affected"}, {"version": "0", "lessThan": "6.6", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.15", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.3", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.6.15"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.7.3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.6", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768"}, {"url": "https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540"}, {"url": "https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82"}], "title": "xsk: fix usage of multi-buffer BPF helpers for ZC XDP", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26611", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T15:51:58.971501Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:49:27.696Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.862Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:07:19.862Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26611", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-12T15:51:58.971501Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:16.989Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "xsk: fix usage of multi-buffer BPF helpers for ZC XDP", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "lessThan": "82ee4781b8200e44669a354140d5c6bd966b8768", "versionType": "git"}, {"status": "affected", "version": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "lessThan": "5cd781f7216f980207af09c5e0e1bb1eda284540", "versionType": "git"}, {"status": "affected", "version": "24ea50127ecf0efe819c1f6230add27abc6ca9d9", "lessThan": "c5114710c8ce86b8317e9b448f4fd15c711c2a82", "versionType": "git"}], "programFiles": ["include/net/xdp_sock_drv.h", "net/core/filter.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "6.6"}, {"status": "unaffected", "version": "0", "lessThan": "6.6", "versionType": "semver"}, {"status": "unaffected", "version": "6.6.15", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.3", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["include/net/xdp_sock_drv.h", "net/core/filter.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768"}, {"url": "https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540"}, {"url": "https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82"}], "x_generator": {"engine": "bippy-1.2.0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix usage of multi-buffer BPF helpers for ZC XDP\n\nCurrently when packet is shrunk via bpf_xdp_adjust_tail() and memory\ntype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:\n\n[1136314.192256] BUG: kernel NULL pointer dereference, address:\n0000000000000034\n[1136314.203943] #PF: supervisor read access in kernel mode\n[1136314.213768] #PF: error_code(0x0000) - not-present page\n[1136314.223550] PGD 0 P4D 0\n[1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257\n[1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,\nBIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210\n[1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86\n[1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246\n[1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:\n0000000000000000\n[1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:\nffffc9003168c000\n[1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:\n0000000000010000\n[1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:\n0000000000000001\n[1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:\n0000000000000001\n[1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)\nknlGS:0000000000000000\n[1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:\n00000000007706f0\n[1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1136314.431890] PKRU: 55555554\n[1136314.439143] Call Trace:\n[1136314.446058] <IRQ>\n[1136314.452465] ? __die+0x20/0x70\n[1136314.459881] ? page_fault_oops+0x15b/0x440\n[1136314.468305] ? exc_page_fault+0x6a/0x150\n[1136314.476491] ? asm_exc_page_fault+0x22/0x30\n[1136314.484927] ? __xdp_return+0x6c/0x210\n[1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0\n[1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60\n[1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]\n[1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]\n[1136314.528506] ice_napi_poll+0x467/0x670 [ice]\n[1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0\n[1136314.546010] __napi_poll+0x29/0x1b0\n[1136314.553462] net_rx_action+0x133/0x270\n[1136314.561619] __do_softirq+0xbe/0x28e\n[1136314.569303] do_softirq+0x3f/0x60\n\nThis comes from __xdp_return() call with xdp_buff argument passed as\nNULL which is supposed to be consumed by xsk_buff_free() call.\n\nTo address this properly, in ZC case, a node that represents the frag\nbeing removed has to be pulled out of xskb_list. Introduce\nappropriate xsk helpers to do such node operation and use them\naccordingly within bpf_xdp_adjust_tail()."}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.6.15", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.7.3", "versionStartIncluding": "6.6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "6.8", "versionStartIncluding": "6.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:52:17.425Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26611", "state": "PUBLISHED", "dateUpdated": "2025-05-04T08:52:17.425Z", "dateReserved": "2024-02-19T14:20:24.130Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-02-29T15:52:16.405Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "EB070897-9C4B-4820-AE94-31318C9F5D76", "versionEndExcluding": "6.6.15", "versionStartIncluding": "6.6", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "58FD5308-148A-40D3-B36A-0CA6B434A8BF", "versionEndExcluding": "6.7.3", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nxsk: fix usage of multi-buffer BPF helpers for ZC XDP\n\nCurrently when packet is shrunk via bpf_xdp_adjust_tail() and memory\ntype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:\n\n[1136314.192256] BUG: kernel NULL pointer dereference, address:\n0000000000000034\n[1136314.203943] #PF: supervisor read access in kernel mode\n[1136314.213768] #PF: error_code(0x0000) - not-present page\n[1136314.223550] PGD 0 P4D 0\n[1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257\n[1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,\nBIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210\n[1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86\n[1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246\n[1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:\n0000000000000000\n[1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:\nffffc9003168c000\n[1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:\n0000000000010000\n[1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:\n0000000000000001\n[1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:\n0000000000000001\n[1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)\nknlGS:0000000000000000\n[1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:\n00000000007706f0\n[1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1136314.431890] PKRU: 55555554\n[1136314.439143] Call Trace:\n[1136314.446058] <IRQ>\n[1136314.452465] ? __die+0x20/0x70\n[1136314.459881] ? page_fault_oops+0x15b/0x440\n[1136314.468305] ? exc_page_fault+0x6a/0x150\n[1136314.476491] ? asm_exc_page_fault+0x22/0x30\n[1136314.484927] ? __xdp_return+0x6c/0x210\n[1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0\n[1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60\n[1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]\n[1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]\n[1136314.528506] ice_napi_poll+0x467/0x670 [ice]\n[1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0\n[1136314.546010] __napi_poll+0x29/0x1b0\n[1136314.553462] net_rx_action+0x133/0x270\n[1136314.561619] __do_softirq+0xbe/0x28e\n[1136314.569303] do_softirq+0x3f/0x60\n\nThis comes from __xdp_return() call with xdp_buff argument passed as\nNULL which is supposed to be consumed by xsk_buff_free() call.\n\nTo address this properly, in ZC case, a node that represents the frag\nbeing removed has to be pulled out of xskb_list. Introduce\nappropriate xsk helpers to do such node operation and use them\naccordingly within bpf_xdp_adjust_tail()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: xsk: corrige el uso de asistentes BPF de m\u00faltiples b\u00fafer para ZC XDP Actualmente, cuando el paquete se reduce a trav\u00e9s de bpf_xdp_adjust_tail() y el tipo de memoria est\u00e1 configurado en MEM_TYPE_XSK_BUFF_POOL, se produce una desreferencia de ptr nula: [1136314.192256] ERROR: desreferencia del puntero NULL del kernel, direcci\u00f3n: 0000000000000034 [1136314.203943] #PF: acceso de lectura del supervisor en modo kernel [1136314.213768] #PF: error_code(0x0000) - p\u00e1gina no presente [1136314.223550] PGD 0 P4D 0 [113631 4.230684] Ups: 0000 [#1] PREEMPT SMP NOPTI [1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257 [1136314.250469] Nombre de hardware: Intel Corporation S2600WFT/S2600WFT, BIOS SE5C620.86B.02.01.0008.0 31920191559 03/19 /2019 [1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210 [1136314.274653] C\u00f3digo: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 0 0 00 f0 41 y siguientes 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86 [1136314.302907] RSP: 0018:ffffc900089f 8db0 EFLAGS: 00010246 [1136314.312967] RAX : ffffc9003168aed0 RBX: ffff8881c3300000 RCX: 0000000000000000 [1136314.324953] RDX: 00000000000000000 RSI: 0000000000000003 RDI: ffffc900316 8c000 [1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09: 0000000000010000 [1136314.348844] R10: ffffc9000e495000 R11: 000 0000000000040 R12: 00000000000000001 [1136314.360706] R13: 00000000000000524 R14: ffffc9003168aec0 R15: 0000000000000001 [1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000) knlGS:0000000000000000 [1 136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1136314.396532] CR2: 00000000000000034 CR3: 00000001aa912002 CR4: 00000000007706f0 [1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000000000 [1136314.420173] DR3: 00000000000 00000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [1136314.431890] PKRU: 55555554 [1136314.439143] Seguimiento de llamadas: [1136314.446058] [1136314.452465 ] ? __morir+0x20/0x70 [1136314.459881] ? page_fault_oops+0x15b/0x440 [1136314.468305] ? exc_page_fault+0x6a/0x150 [1136314.476491] ? asm_exc_page_fault+0x22/0x30 [1136314.484927] ? __xdp_return+0x6c/0x210 [1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0 [1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60 [1136314 .511263] ice_clean_rx_irq_zc+0x206/0xc60 [hielo] [1136314.520222] ? ice_xmit_zc+0x6e/0x150 [hielo] [1136314.528506] ice_napi_poll+0x467/0x670 [hielo] [1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0 [1136314.546010] __napi_poll+0x29/0x1b0 [1136314.553462] net_rx_action+0x133/0x270 [1136314.561619] __do_softirq+0xbe/0x2 8e [1136314.569303] do_softirq+0x3f/0x60 Esto proviene de la llamada __xdp_return() con xdp_buff argumento pasado como NULL que se supone que debe ser consumido por la llamada xsk_buff_free(). Para solucionar esto correctamente, en el caso de ZC, se debe extraer de xskb_list un nodo que represente el fragmento que se est\u00e1 eliminando. Introduzca ayudantes xsk apropiados para realizar dicha operaci\u00f3n de nodo y util\u00edcelos en consecuencia dentro de bpf_xdp_adjust_tail()."}], "id": "CVE-2024-26611", "lastModified": "2024-12-12T15:30:50.397", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-11T18:15:19.123", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/5cd781f7216f980207af09c5e0e1bb1eda284540"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/82ee4781b8200e44669a354140d5c6bd966b8768"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/c5114710c8ce86b8317e9b448f4fd15c711c2a82"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-476"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}], "bugzilla": {"description": "kernel: xsk: fix usage of multi-buffer BPF helpers for ZC XDP", "id": "2269203", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2269203"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-476", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nxsk: fix usage of multi-buffer BPF helpers for ZC XDP\nCurrently when packet is shrunk via bpf_xdp_adjust_tail() and memory\ntype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens:\n[1136314.192256] BUG: kernel NULL pointer dereference, address:\n0000000000000034\n[1136314.203943] #PF: supervisor read access in kernel mode\n[1136314.213768] #PF: error_code(0x0000) - not-present page\n[1136314.223550] PGD 0 P4D 0\n[1136314.230684] Oops: 0000 [#1] PREEMPT SMP NOPTI\n[1136314.239621] CPU: 8 PID: 54203 Comm: xdpsock Not tainted 6.6.0+ #257\n[1136314.250469] Hardware name: Intel Corporation S2600WFT/S2600WFT,\nBIOS SE5C620.86B.02.01.0008.031920191559 03/19/2019\n[1136314.265615] RIP: 0010:__xdp_return+0x6c/0x210\n[1136314.274653] Code: ad 00 48 8b 47 08 49 89 f8 a8 01 0f 85 9b 01 00 00 0f 1f 44 00 00 f0 41 ff 48 34 75 32 4c 89 c7 e9 79 cd 80 ff 83 fe 03 75 17 <f6> 41 34 01 0f 85 02 01 00 00 48 89 cf e9 22 cc 1e 00 e9 3d d2 86\n[1136314.302907] RSP: 0018:ffffc900089f8db0 EFLAGS: 00010246\n[1136314.312967] RAX: ffffc9003168aed0 RBX: ffff8881c3300000 RCX:\n0000000000000000\n[1136314.324953] RDX: 0000000000000000 RSI: 0000000000000003 RDI:\nffffc9003168c000\n[1136314.336929] RBP: 0000000000000ae0 R08: 0000000000000002 R09:\n0000000000010000\n[1136314.348844] R10: ffffc9000e495000 R11: 0000000000000040 R12:\n0000000000000001\n[1136314.360706] R13: 0000000000000524 R14: ffffc9003168aec0 R15:\n0000000000000001\n[1136314.373298] FS: 00007f8df8bbcb80(0000) GS:ffff8897e0e00000(0000)\nknlGS:0000000000000000\n[1136314.386105] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[1136314.396532] CR2: 0000000000000034 CR3: 00000001aa912002 CR4:\n00000000007706f0\n[1136314.408377] DR0: 0000000000000000 DR1: 0000000000000000 DR2:\n0000000000000000\n[1136314.420173] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:\n0000000000000400\n[1136314.431890] PKRU: 55555554\n[1136314.439143] Call Trace:\n[1136314.446058] <IRQ>\n[1136314.452465] ? __die+0x20/0x70\n[1136314.459881] ? page_fault_oops+0x15b/0x440\n[1136314.468305] ? exc_page_fault+0x6a/0x150\n[1136314.476491] ? asm_exc_page_fault+0x22/0x30\n[1136314.484927] ? __xdp_return+0x6c/0x210\n[1136314.492863] bpf_xdp_adjust_tail+0x155/0x1d0\n[1136314.501269] bpf_prog_ccc47ae29d3b6570_xdp_sock_prog+0x15/0x60\n[1136314.511263] ice_clean_rx_irq_zc+0x206/0xc60 [ice]\n[1136314.520222] ? ice_xmit_zc+0x6e/0x150 [ice]\n[1136314.528506] ice_napi_poll+0x467/0x670 [ice]\n[1136314.536858] ? ttwu_do_activate.constprop.0+0x8f/0x1a0\n[1136314.546010] __napi_poll+0x29/0x1b0\n[1136314.553462] net_rx_action+0x133/0x270\n[1136314.561619] __do_softirq+0xbe/0x28e\n[1136314.569303] do_softirq+0x3f/0x60\nThis comes from __xdp_return() call with xdp_buff argument passed as\nNULL which is supposed to be consumed by xsk_buff_free() call.\nTo address this properly, in ZC case, a node that represents the frag\nbeing removed has to be pulled out of xskb_list. Introduce\nappropriate xsk helpers to do such node operation and use them\naccordingly within bpf_xdp_adjust_tail()."], "name": "CVE-2024-26611", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-02-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26611\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26611\nhttps://lore.kernel.org/linux-cve-announce/20240229155245.1571576-43-lee@kernel.org/T"], "threat_severity": "Low"}

{}