Bug 2383384 (CVE-2025-38413) - CVE-2025-38413 kernel: virtio-net: xsk: rx: fix the frame's length check
Summary: CVE-2025-38413 kernel: virtio-net: xsk: rx: fix the frame's length check
Keywords:
Status: NEW
Alias: CVE-2025-38413
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-25 14:01 UTC by OSIDB Bzimport
Modified: 2025-07-27 09:40 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-07-25 14:01:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

virtio-net: xsk: rx: fix the frame's length check

When calling buf_to_xdp, the len argument is the frame data's length
without virtio header's length (vi->hdr_len). We check that len with

	xsk_pool_get_rx_frame_size() + vi->hdr_len

to ensure the provided len does not larger than the allocated chunk
size. The additional vi->hdr_len is because in virtnet_add_recvbuf_xsk,
we use part of XDP_PACKET_HEADROOM for virtio header and ask the vhost
to start placing data from

	hard_start + XDP_PACKET_HEADROOM - vi->hdr_len
not
	hard_start + XDP_PACKET_HEADROOM

But the first buffer has virtio_header, so the maximum frame's length in
the first buffer can only be

	xsk_pool_get_rx_frame_size()
not
	xsk_pool_get_rx_frame_size() + vi->hdr_len

like in the current check.

This commit adds an additional argument to buf_to_xdp differentiate
between the first buffer and other ones to correctly calculate the maximum
frame's length.
Comment 1 Jon Moroney 2025-07-25 19:44:59 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025072521-CVE-2025-38413-d64f@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.