cve/published/2025/CVE-2025-37799.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp

 vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that
 is, packet sizes between 128 - 3k bytes).

 We noticed MTU-related connectivity issues with Cilium's service load-
 balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP
 backend service where the XDP LB was doing IPIP encap led to overly large
 packet sizes but only for *some* of the packets (e.g. HTTP GET request)
 while others (e.g. the prior TCP 3WHS) looked completely fine on the wire.

 In fact, the pcap recording on the backend node actually revealed that the
 node with the XDP LB was leaking uninitialized kernel data onto the wire
 for the affected packets, for example, while the packets should have been
 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes
 was padded with whatever other data was in that page at the time (e.g. we
 saw user/payload data from prior processed packets).

 We only noticed this through an MTU issue, e.g. when the XDP LB node and
 the backend node both had the same MTU (e.g. 1500) then the curl request
 got dropped on the backend node's NIC given the packet was too large even
 though the IPIP-encapped packet normally would never even come close to
 the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let
 the curl request succeed (which also indicates that the kernel ignored the
 padding, and thus the issue wasn't very user-visible).

 Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager
 to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs
 to stick to rcd->len which is the actual packet length from the descriptor.
 The latter we also feed into vmxnet3_process_xdp_small(), by the way, and
 it indicates the correct length needed to initialize the xdp->{data,data_end}
 parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the
 relevant part was adapting xdp_init_buff() to address the warning given the
 xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on
 the wire looks good again.

 The Linux kernel CVE team has assigned CVE-2025-37799 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.6.23 with commit aba8659caf88017507419feea06069f529329ea6 and fixed in 6.6.89 with commit c4312c4d244aa58e811ff0297e013124d115e793
 	Issue introduced in 6.9 with commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 and fixed in 6.12.26 with commit 33e131a10459d16f181c8184d3f17f1c318c7002
 	Issue introduced in 6.9 with commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 and fixed in 6.14.5 with commit e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177
 	Issue introduced in 6.9 with commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 and fixed in 6.15 with commit 4c2227656d9003f4d77afc76f34dd81b95e4c2c4
 	Issue introduced in 6.7.11 with commit 7c8505ecc2d15473d679b8e06335434b84fffe86
 	Issue introduced in 6.8.2 with commit 91d017d19d5a9ad153e2dc23ed3c0e2e79ef5262

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37799
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/net/vmxnet3/vmxnet3_xdp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c4312c4d244aa58e811ff0297e013124d115e793
 	https://git.kernel.org/stable/c/33e131a10459d16f181c8184d3f17f1c318c7002
 	https://git.kernel.org/stable/c/e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177
 	https://git.kernel.org/stable/c/4c2227656d9003f4d77afc76f34dd81b95e4c2c4
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37799: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp

	vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that
	is, packet sizes between 128 - 3k bytes).

	We noticed MTU-related connectivity issues with Cilium's service load-
	balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP
	backend service where the XDP LB was doing IPIP encap led to overly large
	packet sizes but only for some of the packets (e.g. HTTP GET request)
	while others (e.g. the prior TCP 3WHS) looked completely fine on the wire.

	In fact, the pcap recording on the backend node actually revealed that the
	node with the XDP LB was leaking uninitialized kernel data onto the wire
	for the affected packets, for example, while the packets should have been
	152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes
	was padded with whatever other data was in that page at the time (e.g. we
	saw user/payload data from prior processed packets).

	We only noticed this through an MTU issue, e.g. when the XDP LB node and
	the backend node both had the same MTU (e.g. 1500) then the curl request
	got dropped on the backend node's NIC given the packet was too large even
	though the IPIP-encapped packet normally would never even come close to
	the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let
	the curl request succeed (which also indicates that the kernel ignored the
	padding, and thus the issue wasn't very user-visible).

	Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager
	to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs
	to stick to rcd->len which is the actual packet length from the descriptor.
	The latter we also feed into vmxnet3_process_xdp_small(), by the way, and
	it indicates the correct length needed to initialize the xdp->{data,data_end}
	parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the
	relevant part was adapting xdp_init_buff() to address the warning given the
	xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on
	the wire looks good again.

	The Linux kernel CVE team has assigned CVE-2025-37799 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.6.23 with commit aba8659caf88017507419feea06069f529329ea6 and fixed in 6.6.89 with commit c4312c4d244aa58e811ff0297e013124d115e793
	Issue introduced in 6.9 with commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 and fixed in 6.12.26 with commit 33e131a10459d16f181c8184d3f17f1c318c7002
	Issue introduced in 6.9 with commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 and fixed in 6.14.5 with commit e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177
	Issue introduced in 6.9 with commit e127ce7699c1e05279ee5ee61f00893e7bfa9671 and fixed in 6.15 with commit 4c2227656d9003f4d77afc76f34dd81b95e4c2c4
	Issue introduced in 6.7.11 with commit 7c8505ecc2d15473d679b8e06335434b84fffe86
	Issue introduced in 6.8.2 with commit 91d017d19d5a9ad153e2dc23ed3c0e2e79ef5262

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37799
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/net/vmxnet3/vmxnet3_xdp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c4312c4d244aa58e811ff0297e013124d115e793
	https://git.kernel.org/stable/c/33e131a10459d16f181c8184d3f17f1c318c7002
	https://git.kernel.org/stable/c/e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177
	https://git.kernel.org/stable/c/4c2227656d9003f4d77afc76f34dd81b95e4c2c4