Linux Kernel Veth Component Race Condition Vulnerability in XDP Handling

A race condition vulnerability has been identified in the Linux kernel's veth networking component, specifically in how it handles eXpress Data Path (XDP) return frames. This issue arises in versions of the Linux kernel prior to the latest commit, when veth is run in threaded NAPI mode. The vulnerability allows concurrent execution of veth's polling function, leading to potential exposure of old or uninitialized descriptors. The root cause lies in the BPF net context management, which, after a recent change, is now stored in the current task's structure, creating a conflict between overlapping NAPI instances. This vulnerability could be exploited by manipulating the timing of NAPI completions and initiations, causing one instance to interfere with another's processing of XDP return frames.

Impact

Exploitation of this vulnerability could lead to incorrect handling of XDP return frames, potentially causing data corruption or mismanagement within the networking stack.

Reproduction

To reproduce this vulnerability, run the veth component in threaded NAPI mode on a Linux kernel version prior to the latest commit. The race condition can be triggered by starting a new NAPI instance before the previous one has completed, causing both instances to interfere with each other's XDP frame processing.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.