Linux Kernel xsk Component NULL Pointer Dereference Vulnerability in Veth Interfaces

A vulnerability in the Linux kernel's xsk component has been identified, leading to a NULL pointer dereference and subsequent kernel panic. This issue occurs when an IP packet is sent from user space to an xsk socket bound to a veth interface. The problem arises because the xsk completion queue (CQ) descriptor number is stored in the socket's control block, which can be overwritten by other subsystems, causing a NULL pointer dereference in the xsk_destruct_skb function. The vulnerability has been reproduced in Linux kernel versions 6.16.8, 6.16.9, and 6.17.2, while earlier versions do not exhibit the issue.

Impact

Exploitation of this vulnerability causes a kernel panic due to a NULL pointer dereference, disrupting system operations and potentially leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by creating a veth pair, bringing them up, and sending an IP packet from user space to an xsk socket on one of the veth interfaces. This can be done using a C program that utilizes the xsk socket API, compiled with libxdp, and run in an environment such as QEMU with the affected kernel version.

Remediation

The vulnerability has been addressed in the Linux kernel by reverting the problematic commit and implementing a proper fix, which is available in the latest kernel versions. Users can update to these versions to mitigate the vulnerability.