Linux Kernel vmxnet3 Driver XDP Handling Vulnerability Leading to Packet Size Malformation

A vulnerability in the Linux kernel's vmxnet3 driver has been identified, specifically in its XDP (eXpress Data Path) handling. This issue arises for packet sizes using ring0, which includes sizes between 128 and 3000 bytes. The bug can cause connectivity problems related to MTU (Maximum Transmission Unit) when Cilium's service load balancing is used with vmxnet3 as the underlying network interface card (NIC).

Impact

Exploitation of this vulnerability can lead to improper packet sizing, causing connectivity issues and MTU-related problems. In some cases, it can result in the leakage of uninitialized kernel data over the network, potentially including user or payload data from previously processed packets.

Reproduction

The vulnerability can be reproduced by configuring a system to use the vmxnet3 driver with XDP load balancing. When the MTU is set to 1500 on both the XDP load balancer node and the backend node, HTTP requests can be dropped due to oversized IPIP-encapsulated packets. However, lowering the MTU on the XDP load balancer allows the requests to succeed, indicating that the kernel ignored the added padding, which was not visible to users.