GHSA-274G-94C9-XMPH
Vulnerability from github – Published: 2025-04-29 12:30 – Updated: 2025-05-09 21:31In the Linux kernel, the following vulnerability has been resolved:
vmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame
Andrew and Nikolay reported connectivity issues with Cilium's service load-balancing in case of vmxnet3.
If a BPF program for native XDP adds an encapsulation header such as IPIP and transmits the packet out the same interface, then in case of vmxnet3 a corrupted packet is being sent and subsequently dropped on the path.
vmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp() through vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:
page = virt_to_page(xdpf->data); tbi->dma_addr = page_pool_get_dma_addr(page) + VMXNET3_XDP_HEADROOM; dma_sync_single_for_device(&adapter->pdev->dev, tbi->dma_addr, buf_size, DMA_TO_DEVICE);
The above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP BPF program could have moved xdp->data. While the passed buf_size is correct (xdpf->len), the dma_addr needs to have a dynamic offset which can be calculated as xdpf->data - (void *)xdpf, that is, xdp->data - xdp->data_hard_start.
{
"affected": [],
"aliases": [
"CVE-2024-58099"
],
"database_specific": {
"cwe_ids": [
"CWE-787"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-04-29T12:15:31Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix packet corruption in vmxnet3_xdp_xmit_frame\n\nAndrew and Nikolay reported connectivity issues with Cilium\u0027s service\nload-balancing in case of vmxnet3.\n\nIf a BPF program for native XDP adds an encapsulation header such as\nIPIP and transmits the packet out the same interface, then in case\nof vmxnet3 a corrupted packet is being sent and subsequently dropped\non the path.\n\nvmxnet3_xdp_xmit_frame() which is called e.g. via vmxnet3_run_xdp()\nthrough vmxnet3_xdp_xmit_back() calculates an incorrect DMA address:\n\n page = virt_to_page(xdpf-\u003edata);\n tbi-\u003edma_addr = page_pool_get_dma_addr(page) +\n VMXNET3_XDP_HEADROOM;\n dma_sync_single_for_device(\u0026adapter-\u003epdev-\u003edev,\n tbi-\u003edma_addr, buf_size,\n DMA_TO_DEVICE);\n\nThe above assumes a fixed offset (VMXNET3_XDP_HEADROOM), but the XDP\nBPF program could have moved xdp-\u003edata. While the passed buf_size is\ncorrect (xdpf-\u003elen), the dma_addr needs to have a dynamic offset which\ncan be calculated as xdpf-\u003edata - (void *)xdpf, that is, xdp-\u003edata -\nxdp-\u003edata_hard_start.",
"id": "GHSA-274g-94c9-xmph",
"modified": "2025-05-09T21:31:08Z",
"published": "2025-04-29T12:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58099"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/4678adf94da4a9e9683817b246b58ce15fb81782"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/59ba6cdadb9c26b606a365eb9c9b25eb2052622d"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/f82eb34fb59a8fb96c19f4f492c20eb774140bb5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.