Linux Kernel XDP Frame Metadata Size Vulnerability in BPF Test Run

A vulnerability in the Linux kernel's BPF test run feature for XDP (eXpress Data Path) has been addressed. The issue arose because the BPF test run did not properly account for the size of the XDP frame, allowing userspace to specify a metadata size that could exceed the available headroom. This oversight could lead to packet transmission with an uninitialized frame structure, causing potential disruptions. The vulnerability was particularly problematic in live packet mode, where the XDP frame headroom is critical for proper packet handling.

Impact

The vulnerability could cause packet transmission issues by allowing an uninitialized XDP frame to be sent, which could disrupt normal network operations.

Reproduction

To reproduce this vulnerability, use the BPF test run feature with XDP in live packet mode. Specify a metadata size that exceeds the available headroom, taking into account the size of the XDP frame. This will trigger the vulnerability by causing the XDP update function to fail, while still allowing the packet to be transmitted with an uninitialized frame.

Remediation

The vulnerability has been fixed by adding a check on the metadata size to ensure it does not exceed the available headroom, and by reordering the checks for clarity.