Linux Kernel XDP Fragment Size Vulnerability in Intel Ice Driver Allows Kernel Panic

A vulnerability in the Linux kernel's Intel Ice driver can lead to a kernel panic when using the XDP (eXpress Data Path) feature. The issue arises because the driver incorrectly handles the fragment size for received packets, using the DMA write length instead of the actual buffer size. This discrepancy can cause negative tailroom, which is problematic when certain packet sizes and offsets are used. While the panic does not occur in the driver’s Zero-Copy mode, the tailroom issue persists, indicating a flaw in how the driver manages packet data under specific conditions.

Impact

Exploitation of this vulnerability can cause a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, use the XDP_ADJUST_TAIL_GROW_MULTI_BUFF option with the xskxceiver test tool. Set the packet size to 6912 bytes and the offset to a large value, such as 100 times the maximum frame size. This will trigger the kernel panic by causing the driver to mishandle the packet data, leading to a crash.

Remediation

Users can apply the latest patches from the Linux kernel stable tree to address this vulnerability. The patch is included in the commit referenced by the CVE.