Linux Kernel Veth Component Transmit Queue Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Linux kernel's veth (virtual Ethernet) component, specifically in versions prior to the latest patch. This issue arises from a race condition in the packet transmission function, veth_xmit(), which can cause a transmit queue (TXQ) to become permanently stalled. The problem was observed on ARM64 systems using Ampere Altra Max processors. The vulnerability occurs when the transmission function detects a full pointer ring buffer and stops the queue to prevent packet loss. However, the logic intended to restart the queue can fail, leading to a 'lost wakeup' scenario where the TXQ remains halted and network traffic is disrupted. This failure is due to an improper use of the pointer ring buffer API from the transmission side, creating a race condition that is not reliable when the receiving side is processed on a different CPU.

Impact

Exploitation of this vulnerability causes a permanent stall in the transmit queue, halting network traffic over the affected virtual Ethernet interface.

Reproduction

The vulnerability can be reproduced by creating a virtual Ethernet interface and generating network traffic that fills the pointer ring buffer. The veth_xmit() function will then stop the transmit queue. If the veth_poll() function, which is responsible for processing incoming packets, completes its work before the transmit queue is restarted, the queue will remain stopped, causing a disruption in network traffic.

Remediation

Users can apply the latest patch available in the Linux kernel stable tree to address this vulnerability.