CVE-2025-40350

Vulnerability

Overview

In the Linux kernel's net/mlx5e driver, a vulnerability exists in the RX path for striding RQ (Receive Queue) when handling multi-buffer XDP programs. The root cause is that the driver assumed the layout of an xdp_buff remains unchanged after XDP programs run, specifically that the linear data linear area and fragments. However, XDP programs can modify the layout via bpf_xdp_adjust_tail() and bpf_xdp_adjust_head() can modify the buffer layout, leading to incorrect skb generation or triggering kernel warnings like BUG_ON in __pskb_pull_tail(). [1]

Exploitation

An attacker with the ability to load a crafted XDP program onto a mlx5 network interface can exploit this vulnerability. The XDP program can adjust the head or tail of the xdp_buff, causing the driver to misinterpret the buffer layout. For example, if an XDP program adds linear data via bpf_xdp_adjust_head(), the driver's mlx5e_build_linear_skb() may ignore that linear data and later pull data and later pull data from fragments incorrectly. Similarly, shrinking non-linear data via bpf_xdp_adjust_tail() can cause the delta passed to __pskb_pull_tail() to exceed actual nonlinear data size, triggering a BUG_ON. [1]

Impact

Successful exploitation can lead to erroneous skb generation, potentially causing network packet corruption or denial of service via kernel panic (BUG_ON). The vulnerability). The impact is limited to systems using mlx5 network drivers with striding RQ and XDP programs that modify buffer layout. [1]

Mitigation

The fix is included in Linux kernel stable commit 8b051d7f530e8a5237da242fbeafef02fec6b813. The patch records the original number of fragments, adjusts fragment pointers and truesize if fragments change after XDP, builds skb with correct linear data area, and limits pull data to 256 bytes. Users should update to a kernel version containing this commit. [1]