CVE-2024-26611

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.0

Description The issue arises from a null pointer dereference in the Linux kernel when using multi-buffer BPF helpers for ZC XDP. This occurs when a packet is shrunk via the bpf xdp adjust tail() function and the memory type is set to MEM TYPE XSK BUFF POOL. The null pointer dereference happens because the xdp buff argument passed to the xdp return() call is NULL, which is supposed to be consumed by the xsk buff free() call. To address this properly, a node representing the frag being removed needs to be pulled out of the xskb list. Introducing appropriate xsk helpers for this node operation and using them within bpf xdp adjust tail() resolves the issue.

Recommendations To resolve the issue for Linux kernel versions prior to 6.6.0, update the kernel to version 6.6.0 or later. If updating is not feasible, consider temporarily disabling the use of multi-buffer BPF helpers for ZC XDP until a patch is available. Additionally, restrict access to the vulnerable bpf xdp adjust tail() function to minimize the risk of exploitation.