CVE-2024-26803

In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled, because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() which is called both on ndo_stop and when XDP is turned off. To avoid the flag from being cleared when the device is brought down, the clearing is skipped when IFF_UP is not set. Bringing the device down should indeed not modify its features. Unfortunately, this means that clearing is also skipped when XDP is disabled _while_ the device is down. And there's nothing on the open path to bring the device features back into sync. IOW if user enables XDP, disables it and then brings the device up we'll end up with a stray GRO flag set but no NAPI instances. We don't depend on the GRO flag on the datapath, so the datapath won't crash. We will crash (or hang), however, next time features are sync'ed (either by user via ethtool or peer changing its config). The GRO flag will go away, and veth will try to disable the NAPIs. But the open path never created them since XDP was off, the GRO flag was a stray. If NAPI was initialized before we'll hang in napi_disable(). If it never was we'll crash trying to stop uninitialized hrtimer. Move the GRO flag updates to the XDP enable / disable paths, instead of mixing them with the ndo_open / ndo_close paths.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664	Patch
https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325	Patch
https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941	Patch
https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c	Patch
https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736	Patch
https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664	Patch
https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325	Patch
https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941	Patch
https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c	Patch
https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc3::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc4::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc5::::::
	cpe:2.3:o:linux:linux_kernel:6.8:rc6::::::

History

01 Apr 2025, 20:35

Type	Values Removed	Values Added
First Time		Linux Linux linux Kernel
CWE		CWE-459
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CPE		cpe:2.3:o:linux:linux_kernel:6.8:rc6:::::: cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.8:rc4:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc3:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.8:rc5::::::
References	~~() https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664 -~~	() https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664 - Patch
References	~~() https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325 -~~	() https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325 - Patch
References	~~() https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941 -~~	() https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941 - Patch
References	~~() https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c -~~	() https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c - Patch
References	~~() https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736 -~~	() https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736 - Patch

21 Nov 2024, 09:03

Type	Values Removed	Values Added
References	~~() https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664 -~~	() https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664 -
References	~~() https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325 -~~	() https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325 -
References	~~() https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941 -~~	() https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941 -
References	~~() https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c -~~	() https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c -
References	~~() https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736 -~~	() https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736 -
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: veth: borra GRO al borrar XDP incluso cuando está desactivado veth configura NETIF_F_GRO automáticamente cuando XDP está habilitado, porque ambas funciones utilizan la misma maquinaria NAPI. La lógica para borrar NETIF_F_GRO se encuentra en veth_disable_xdp(), que se llama tanto en ndo_stop como cuando XDP está desactivado. Para evitar que la bandera se borre cuando se baja el dispositivo, la eliminación se omite cuando IFF_UP no está configurado. De hecho, bajar el dispositivo no debería modificar sus características. Desafortunadamente, esto significa que la limpieza también se omite cuando XDP está deshabilitado _mientras_ el dispositivo está inactivo. Y no hay nada en el camino abierto para volver a sincronizar las funciones del dispositivo. IOW, si el usuario habilita XDP, lo deshabilita y luego enciende el dispositivo, terminaremos con un indicador GRO perdido pero sin instancias NAPI. No dependemos del indicador GRO en la ruta de datos, por lo que la ruta de datos no fallará. Nos bloquearemos (o colgaremos), sin embargo, la próxima vez que se sincronicen las funciones (ya sea por el usuario a través de ethtool o por un compañero cambiando su configuración). La bandera GRO desaparecerá y Veth intentará desactivar las NAPI. Pero el camino abierto nunca los creó ya que XDP estaba desactivado, la bandera GRO estaba perdida. Si NAPI se inicializó antes, colgaremos napi_disable(). Si nunca fue así, fallaremos al intentar detener el hrtimer no inicializado. Mueva las actualizaciones del indicador GRO a las rutas de activación/desactivación de XDP, en lugar de mezclarlas con las rutas ndo_open/ndo_close.

04 Apr 2024, 09:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-04-04 09:15

Updated : 2025-04-01 20:35

NVD link : CVE-2024-26803

Mitre link : CVE-2024-26803

CVE.ORG link : CVE-2024-26803

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-459

Incomplete Cleanup

{"id": "CVE-2024-26803", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-04-04T09:15:09.163", "references": [{"url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/16edf51f33f52dff70ed455bc40a6cc443c04664", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/7985d73961bbb4e726c1be7b9cd26becc7be8325", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8f7a3894e58e6f5d5815533cfde60e3838947941", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f011c103e654d83dc85f057a7d1bd0960d02831c", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/fe9f801355f0b47668419f30f1fac1cf4539e736", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-459"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: veth: clear GRO when clearing XDP even when down\n\nveth sets NETIF_F_GRO automatically when XDP is enabled,\nbecause both features use the same NAPI machinery.\n\nThe logic to clear NETIF_F_GRO sits in veth_disable_xdp() which\nis called both on ndo_stop and when XDP is turned off.\nTo avoid the flag from being cleared when the device is brought\ndown, the clearing is skipped when IFF_UP is not set.\nBringing the device down should indeed not modify its features.\n\nUnfortunately, this means that clearing is also skipped when\nXDP is disabled _while_ the device is down. And there's nothing\non the open path to bring the device features back into sync.\nIOW if user enables XDP, disables it and then brings the device\nup we'll end up with a stray GRO flag set but no NAPI instances.\n\nWe don't depend on the GRO flag on the datapath, so the datapath\nwon't crash. We will crash (or hang), however, next time features\nare sync'ed (either by user via ethtool or peer changing its config).\nThe GRO flag will go away, and veth will try to disable the NAPIs.\nBut the open path never created them since XDP was off, the GRO flag\nwas a stray. If NAPI was initialized before we'll hang in napi_disable().\nIf it never was we'll crash trying to stop uninitialized hrtimer.\n\nMove the GRO flag updates to the XDP enable / disable paths,\ninstead of mixing them with the ndo_open / ndo_close paths."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: veth: borra GRO al borrar XDP incluso cuando est\u00e1 desactivado veth configura NETIF_F_GRO autom\u00e1ticamente cuando XDP est\u00e1 habilitado, porque ambas funciones utilizan la misma maquinaria NAPI. La l\u00f3gica para borrar NETIF_F_GRO se encuentra en veth_disable_xdp(), que se llama tanto en ndo_stop como cuando XDP est\u00e1 desactivado. Para evitar que la bandera se borre cuando se baja el dispositivo, la eliminaci\u00f3n se omite cuando IFF_UP no est\u00e1 configurado. De hecho, bajar el dispositivo no deber\u00eda modificar sus caracter\u00edsticas. Desafortunadamente, esto significa que la limpieza tambi\u00e9n se omite cuando XDP est\u00e1 deshabilitado _mientras_ el dispositivo est\u00e1 inactivo. Y no hay nada en el camino abierto para volver a sincronizar las funciones del dispositivo. IOW, si el usuario habilita XDP, lo deshabilita y luego enciende el dispositivo, terminaremos con un indicador GRO perdido pero sin instancias NAPI. No dependemos del indicador GRO en la ruta de datos, por lo que la ruta de datos no fallar\u00e1. Nos bloquearemos (o colgaremos), sin embargo, la pr\u00f3xima vez que se sincronicen las funciones (ya sea por el usuario a trav\u00e9s de ethtool o por un compa\u00f1ero cambiando su configuraci\u00f3n). La bandera GRO desaparecer\u00e1 y Veth intentar\u00e1 desactivar las NAPI. Pero el camino abierto nunca los cre\u00f3 ya que XDP estaba desactivado, la bandera GRO estaba perdida. Si NAPI se inicializ\u00f3 antes, colgaremos napi_disable(). Si nunca fue as\u00ed, fallaremos al intentar detener el hrtimer no inicializado. Mueva las actualizaciones del indicador GRO a las rutas de activaci\u00f3n/desactivaci\u00f3n de XDP, en lugar de mezclarlas con las rutas ndo_open/ndo_close."}], "lastModified": "2025-04-01T20:35:43.953", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "853CEBB6-8069-462F-83BC-C65A106236DB", "versionEndExcluding": "5.15.151", "versionStartIncluding": "5.13"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EC825B0E-DFCA-4034-9B92-F111A4E2A732", "versionEndExcluding": "6.1.81", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B19074A2-9FE5-4E7D-9E2D-020F95013ADA", "versionEndExcluding": "6.6.21", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1C538467-EDA0-4A9A-82EB-2925DE9FF827", "versionEndExcluding": "6.7.9", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62075ACE-B2A0-4B16-829D-B3DA5AE5CC41"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A780F817-2A77-4130-A9B7-5C25606314E3"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AEB9199B-AB8F-4877-8964-E2BA95B5F15C"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}

5.5 /10