Linux Kernel BPF Metadata Leak Vulnerability in Egress Gateway Traffic Handling

A vulnerability has been identified in the Linux kernel's handling of BPF egress gateway traffic, specifically in versions prior to the latest patch. This issue arises when outgoing Kubernetes Pod traffic is routed through dedicated egress gateways via a VXLAN tunnel. A recent change in BPF introduced the 'bpf_redirect_neigh()' helper to forward packets after they are decapsulated from VXLAN. However, this change inadvertently caused a memory leak by failing to properly release a metadata object associated with the traffic. The VXLAN implementation allocates a metadata object and attaches it to the packet, but this attachment was never cleared, leading to an accumulation of unused memory over time.

Impact

Exploitation of this vulnerability causes a memory leak, where allocated memory is not properly released, potentially leading to increased memory usage and degradation of system performance.

Reproduction

The vulnerability can be reproduced by enabling the BPF egress gateway feature in Cilium, which directs outgoing Kubernetes Pod traffic through dedicated egress gateways. This traffic is then sent over a VXLAN tunnel. The memory leak can be observed by monitoring the 'kmalloc-256' slab usage in the kernel, which will show an increase over time as the metadata objects are not released properly.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree to address this vulnerability.