Linux Kernel XDP Negative Tailroom Calculation Vulnerability Leading to Memory Corruption

A vulnerability in the Linux kernel's XDP (eXpress Data Path) implementation can cause memory corruption issues. This problem arises because many Ethernet drivers report the XDP receive queue fragment size as the same value as the DMA write size. However, the XDP processing function 'bpf_xdp_frags_increase_tail()' expects an accurate size. In the 'ixgbevf' driver, for example, the maximum DMA write size is 3 KB. When using the 'xskxceiver' tool with the 'XDP_ADJUST_TAIL_GROW_MULTI_BUFF' option, a 6 KB packet can fully occupy the DMA-writable space in two buffers. This situation would be manageable if the fragment size was correctly set to 4 KB, but the 3 KB value leads to a negative tailroom calculation due to a non-zero page offset. Instead of returning an error, the negative tailroom is misrepresented as a large positive value, causing an unintended increase in the tailroom, which eventually results in a segmentation fault and a general protection fault, as indicated by the kernel logs.

Impact

Exploitation of this vulnerability leads to a general protection fault, likely caused by a non-canonical address, resulting in a segmentation fault in the 'xskxceiver' process.

Reproduction

The vulnerability can be reproduced by running the 'xskxceiver' tool with the 'XDP_ADJUST_TAIL_GROW_MULTI_BUFF' option on a system with the 'ixgbevf' driver. This setup will trigger the negative tailroom calculation, causing the memory corruption issue.

Remediation

The vulnerability has been addressed by modifying the tailroom variable to be a signed integer and adding a warning for negative values. Users should update to the latest version of the Linux kernel where this fix is applied.