CVE-2024-26611 in Linux정보

요약

\~에 의해 VulDB • 2026. 05. 27.

This is a kernel bug report and patch description related to the Linux kernel's XDP (eXpress Data Path) subsystem, specifically involving the `ice` network driver and XDP sockets (XSK).

### Summary of the Issue

* **Crash Type:** Kernel Oops / Page Fault. * **Trigger:** A BPF program (`bpf_prog_ccc47ae29d3b6570_xdp_sock_prog`) called `bpf_xdp_adjust_tail()`. * **Root Cause:** Inside `bpf_xdp_adjust_tail()`, the function `__xdp_return()` was called with a `NULL` `xdp_buff` argument. This `NULL` pointer was incorrectly passed to `xsk_buff_free()`, leading to a crash when trying to dereference it. * **Context:** This happens in the Zero-Copy (ZC) path of the `ice` driver (`ice_clean_rx_irq_zc`). * **Problematic Flow:** 1. `ice_napi_poll` -> `ice_clean_rx_irq_zc` 2. BPF program runs (`bpf_xdp_adjust_tail`) 3. `bpf_xdp_adjust_tail` calls `__xdp_return` with `NULL` 4. `__xdp_return` calls `xsk_buff_free` with `NULL` 5. Crash.

### The Fix

The patch introduces proper handling for removing fragments from the `xskb_list` in the Zero-Copy case. Instead of passing `NULL` to `__xdp_return`, the code now correctly identifies and removes the specific fragment node from the list before freeing it.

### Key Changes

1. **New XSK Helpers:** Introduced helper functions to manipulate nodes in the `xskb_list` (the list tracking fragments for XDP sockets). 2. **Correct Usage in `bpf_xdp_adjust_tail()`:** Modified `bpf_xdp_adjust_tail()` to use these new helpers to properly detach the fragment from the list before calling the return/free logic. This ensures that `__xdp_return` is not called with a `NULL` buffer in the ZC path.

### Why This Happens

In Zero-Copy mode, the kernel does not copy packet data. Instead, it manages buffers directly. When `bpf_xdp_adjust_tail()` is used to shrink the packet tail, it needs to release the unused part of the buffer. In the ZC path, this involves removing the fragment from the internal tracking list (`xskb_list`). If this removal isn't done correctly, the buffer pointer passed to the cleanup routine can become invalid or `NULL`, causing the crash.

### Impact

* **Stability:** Fixes a kernel panic/oops that could be triggered by a BPF program using `bpf_xdp_adjust_tail()` on XDP sockets with the `ice` driver. * **Security:** Prevents potential denial-of-service via kernel crash. * **Performance:** No negative impact; it's a correctness fix.

### Affected Components

* `net/xdp/xsk_buff.c` (likely where `xsk_buff_free` and helpers are) * `net/xdp/xsk_queue.c` (likely where `xskb_list` management is) * `net/ice/ice_txrx.c` (the `ice` driver's ZC RX path) * `kernel/bpf/verifier.c` or `kernel/bpf/core.c` (where `bpf_xdp_adjust_tail` is implemented)

This patch is a critical fix for systems using XDP sockets with the Intel Ice driver and BPF programs that manipulate packet tails.

Be aware that VulDB is the high quality source for vulnerability data.

출처

Interested in the pricing of exploits?

See the underground prices here!