CVE-2025-37799 (GCVE-0-2025-37799)
Vulnerability from cvelistv5
Published
2025-05-03 11:39
Modified
2025-05-26 05:21
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp vmxnet3 driver's XDP handling is buggy for packet sizes using ring0 (that is, packet sizes between 128 - 3k bytes). We noticed MTU-related connectivity issues with Cilium's service load- balancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP backend service where the XDP LB was doing IPIP encap led to overly large packet sizes but only for *some* of the packets (e.g. HTTP GET request) while others (e.g. the prior TCP 3WHS) looked completely fine on the wire. In fact, the pcap recording on the backend node actually revealed that the node with the XDP LB was leaking uninitialized kernel data onto the wire for the affected packets, for example, while the packets should have been 152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes was padded with whatever other data was in that page at the time (e.g. we saw user/payload data from prior processed packets). We only noticed this through an MTU issue, e.g. when the XDP LB node and the backend node both had the same MTU (e.g. 1500) then the curl request got dropped on the backend node's NIC given the packet was too large even though the IPIP-encapped packet normally would never even come close to the MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let the curl request succeed (which also indicates that the kernel ignored the padding, and thus the issue wasn't very user-visible). Commit e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") was too eager to also switch xdp_prepare_buff() from rcd->len to rbi->len. It really needs to stick to rcd->len which is the actual packet length from the descriptor. The latter we also feed into vmxnet3_process_xdp_small(), by the way, and it indicates the correct length needed to initialize the xdp->{data,data_end} parts. For e127ce7699c1 ("vmxnet3: Fix missing reserved tailroom") the relevant part was adapting xdp_init_buff() to address the warning given the xdp_data_hard_end() depends on xdp->frame_sz. With that fixed, traffic on the wire looks good again.
References
Impacted products
Vendor Product Version
Linux Linux Version: aba8659caf88017507419feea06069f529329ea6
Version: e127ce7699c1e05279ee5ee61f00893e7bfa9671
Version: e127ce7699c1e05279ee5ee61f00893e7bfa9671
Version: e127ce7699c1e05279ee5ee61f00893e7bfa9671
Version: 7c8505ecc2d15473d679b8e06335434b84fffe86
Version: 91d017d19d5a9ad153e2dc23ed3c0e2e79ef5262
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vmxnet3/vmxnet3_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c4312c4d244aa58e811ff0297e013124d115e793",
              "status": "affected",
              "version": "aba8659caf88017507419feea06069f529329ea6",
              "versionType": "git"
            },
            {
              "lessThan": "33e131a10459d16f181c8184d3f17f1c318c7002",
              "status": "affected",
              "version": "e127ce7699c1e05279ee5ee61f00893e7bfa9671",
              "versionType": "git"
            },
            {
              "lessThan": "e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177",
              "status": "affected",
              "version": "e127ce7699c1e05279ee5ee61f00893e7bfa9671",
              "versionType": "git"
            },
            {
              "lessThan": "4c2227656d9003f4d77afc76f34dd81b95e4c2c4",
              "status": "affected",
              "version": "e127ce7699c1e05279ee5ee61f00893e7bfa9671",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7c8505ecc2d15473d679b8e06335434b84fffe86",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "91d017d19d5a9ad153e2dc23ed3c0e2e79ef5262",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/vmxnet3/vmxnet3_xdp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.8.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp\n\nvmxnet3 driver\u0027s XDP handling is buggy for packet sizes using ring0 (that\nis, packet sizes between 128 - 3k bytes).\n\nWe noticed MTU-related connectivity issues with Cilium\u0027s service load-\nbalancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP\nbackend service where the XDP LB was doing IPIP encap led to overly large\npacket sizes but only for *some* of the packets (e.g. HTTP GET request)\nwhile others (e.g. the prior TCP 3WHS) looked completely fine on the wire.\n\nIn fact, the pcap recording on the backend node actually revealed that the\nnode with the XDP LB was leaking uninitialized kernel data onto the wire\nfor the affected packets, for example, while the packets should have been\n152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes\nwas padded with whatever other data was in that page at the time (e.g. we\nsaw user/payload data from prior processed packets).\n\nWe only noticed this through an MTU issue, e.g. when the XDP LB node and\nthe backend node both had the same MTU (e.g. 1500) then the curl request\ngot dropped on the backend node\u0027s NIC given the packet was too large even\nthough the IPIP-encapped packet normally would never even come close to\nthe MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let\nthe curl request succeed (which also indicates that the kernel ignored the\npadding, and thus the issue wasn\u0027t very user-visible).\n\nCommit e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") was too eager\nto also switch xdp_prepare_buff() from rcd-\u003elen to rbi-\u003elen. It really needs\nto stick to rcd-\u003elen which is the actual packet length from the descriptor.\nThe latter we also feed into vmxnet3_process_xdp_small(), by the way, and\nit indicates the correct length needed to initialize the xdp-\u003e{data,data_end}\nparts. For e127ce7699c1 (\"vmxnet3: Fix missing reserved tailroom\") the\nrelevant part was adapting xdp_init_buff() to address the warning given the\nxdp_data_hard_end() depends on xdp-\u003eframe_sz. With that fixed, traffic on\nthe wire looks good again."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:07.764Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c4312c4d244aa58e811ff0297e013124d115e793"
        },
        {
          "url": "https://git.kernel.org/stable/c/33e131a10459d16f181c8184d3f17f1c318c7002"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c2227656d9003f4d77afc76f34dd81b95e4c2c4"
        }
      ],
      "title": "vmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37799",
    "datePublished": "2025-05-03T11:39:51.924Z",
    "dateReserved": "2025-04-16T04:51:23.941Z",
    "dateUpdated": "2025-05-26T05:21:07.764Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-37799\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-05-03T12:15:14.950\",\"lastModified\":\"2025-05-05T20:54:19.760\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nvmxnet3: Fix malformed packet sizing in vmxnet3_process_xdp\\n\\nvmxnet3 driver\u0027s XDP handling is buggy for packet sizes using ring0 (that\\nis, packet sizes between 128 - 3k bytes).\\n\\nWe noticed MTU-related connectivity issues with Cilium\u0027s service load-\\nbalancing in case of vmxnet3 as NIC underneath. A simple curl to a HTTP\\nbackend service where the XDP LB was doing IPIP encap led to overly large\\npacket sizes but only for *some* of the packets (e.g. HTTP GET request)\\nwhile others (e.g. the prior TCP 3WHS) looked completely fine on the wire.\\n\\nIn fact, the pcap recording on the backend node actually revealed that the\\nnode with the XDP LB was leaking uninitialized kernel data onto the wire\\nfor the affected packets, for example, while the packets should have been\\n152 bytes their actual size was 1482 bytes, so the remainder after 152 bytes\\nwas padded with whatever other data was in that page at the time (e.g. we\\nsaw user/payload data from prior processed packets).\\n\\nWe only noticed this through an MTU issue, e.g. when the XDP LB node and\\nthe backend node both had the same MTU (e.g. 1500) then the curl request\\ngot dropped on the backend node\u0027s NIC given the packet was too large even\\nthough the IPIP-encapped packet normally would never even come close to\\nthe MTU limit. Lowering the MTU on the XDP LB (e.g. 1480) allowed to let\\nthe curl request succeed (which also indicates that the kernel ignored the\\npadding, and thus the issue wasn\u0027t very user-visible).\\n\\nCommit e127ce7699c1 (\\\"vmxnet3: Fix missing reserved tailroom\\\") was too eager\\nto also switch xdp_prepare_buff() from rcd-\u003elen to rbi-\u003elen. It really needs\\nto stick to rcd-\u003elen which is the actual packet length from the descriptor.\\nThe latter we also feed into vmxnet3_process_xdp_small(), by the way, and\\nit indicates the correct length needed to initialize the xdp-\u003e{data,data_end}\\nparts. For e127ce7699c1 (\\\"vmxnet3: Fix missing reserved tailroom\\\") the\\nrelevant part was adapting xdp_init_buff() to address the warning given the\\nxdp_data_hard_end() depends on xdp-\u003eframe_sz. With that fixed, traffic on\\nthe wire looks good again.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: vmxnet3: Se ha corregido un tama\u00f1o de paquete incorrecto en vmxnet3_process_xdp. El manejo de XDP del controlador vmxnet3 presenta errores para tama\u00f1os de paquete que utilizan ring0 (es decir, tama\u00f1os de paquete entre 128 y 3\u0026#xa0;k bytes). Observamos problemas de conectividad relacionados con la MTU con el balanceo de carga del servicio de Cilium en el caso de vmxnet3 como NIC subyacente. Una simple conexi\u00f3n curl a un servicio HTTP backend donde el LB XDP realizaba encapsulado IPIP gener\u00f3 tama\u00f1os de paquete excesivamente grandes, pero solo para *algunos* paquetes (p. ej., una solicitud HTTP GET), mientras que otros (p. ej., el TCP 3WHS anterior) funcionaron correctamente en la red. De hecho, la grabaci\u00f3n de pcap en el nodo backend revel\u00f3 que el nodo con el LB XDP estaba filtrando datos de kernel sin inicializar en la red para los paquetes afectados. Por ejemplo, si bien los paquetes deber\u00edan haber tenido 152 bytes, su tama\u00f1o real era de 1482 bytes, por lo que el resto despu\u00e9s de 152 bytes se rellen\u00f3 con cualquier otro dato que hubiera en esa p\u00e1gina en ese momento (por ejemplo, vimos datos de usuario/carga \u00fatil de paquetes procesados previamente). Solo notamos esto a trav\u00e9s de un problema de MTU; por ejemplo, cuando el nodo LB XDP y el nodo backend ten\u00edan la misma MTU (por ejemplo, 1500), la solicitud curl se descart\u00f3 en la NIC del nodo backend debido a que el paquete era demasiado grande, aunque el paquete encapsulado en IPIP normalmente ni siquiera se acercar\u00eda al l\u00edmite de MTU. Reducir la MTU en el LB XDP (por ejemplo, 1480) permiti\u00f3 que la solicitud curl se ejecutara correctamente (lo que tambi\u00e9n indica que el kernel ignor\u00f3 el relleno y, por lo tanto, el problema no era muy visible para el usuario). el commit e127ce7699c1 (\\\"vmxnet3: Correcci\u00f3n de la falta de espacio reservado para la cola\\\") estaba demasiado ansiosa por cambiar xdp_prepare_buff() de rcd-\u0026gt;len a rbi-\u0026gt;len. Es necesario que se mantenga en rcd-\u0026gt;len, que es la longitud real del paquete del descriptor. Por cierto, esta \u00faltima tambi\u00e9n se introduce en vmxnet3_process_xdp_small(), e indica la longitud correcta necesaria para inicializar las partes xdp-\u0026gt;{data,data_end}. Para e127ce7699c1 (\\\"vmxnet3: Correcci\u00f3n de la falta de espacio reservado para la cola\\\"), la parte relevante fue adaptar xdp_init_buff() para abordar la advertencia, dado que xdp_data_hard_end() depende de xdp-\u0026gt;frame_sz. Con esto corregido, el tr\u00e1fico en la red se ve bien de nuevo.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/33e131a10459d16f181c8184d3f17f1c318c7002\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/4c2227656d9003f4d77afc76f34dd81b95e4c2c4\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c4312c4d244aa58e811ff0297e013124d115e793\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e3ad76e36a37b0ff4a71b06d5b33530ee8c3a177\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.