Linux Kernel True Size Calculation Vulnerability in bnxt Ethernet Driver

A vulnerability exists in the Linux kernel's bnxt Ethernet driver related to the incorrect calculation of the true size of packets when using the mb-xdp feature with XDP_PASS return. This issue arises because the true size is improperly calculated based on the number of fragments, while the shared information was cleared by a previous function. As a result, the driver passes an incorrect true size when converting packets from xdp_buff to sk_buff, leading to potential fragmentation issues.

Impact

Exploitation of this vulnerability can cause a kernel warning and disrupt normal packet processing by improperly handling the coalescing of fragmented packets, according to the Linux kernel commit that introduced the fix.

Reproduction

The vulnerability can be reproduced by setting up two network interfaces with jumbo frames enabled. Interface 1 should have the mb-xdp feature activated and be configured to pass packets, while Interface 2 should be set up to send large ping packets. The incorrect handling of packet sizes will trigger the kernel warning, indicating the vulnerability.

Remediation

Users should update to the latest version of the Linux kernel where this vulnerability has been addressed.