Fixed
Created: Nov 12, 2025
Updated: Nov 25, 2025
Resolved Date: Nov 24, 2025
Found In Version: 10.25.33.1
Fix Version: 10.25.33.3
Severity: Standard
Applicable for: Wind River Linux LTS 25
Component/s: Kernel
In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]xsk: Harden userspace-supplied xdp_desc validation[EOL][EOL]Turned out certain clearly invalid values passed in xdp_desc from[EOL]userspace can pass xp_{,un}aligned_validate_desc() and then lead[EOL]to UBs or just invalid frames to be queued for xmit.[EOL][EOL]desc->len close to ``U32_MAX`` with a non-zero pool->tx_metadata_len[EOL]can cause positive integer overflow and wraparound, the same way low[EOL]enough desc->addr with a non-zero pool->tx_metadata_len can cause[EOL]negative integer overflow. Both scenarios can then pass the[EOL]validation successfully.[EOL]This doesn't happen with valid XSk applications, but can be used[EOL]to perform attacks.[EOL][EOL]Always promote desc->len to ``u64`` first to exclude positive[EOL]overflows of it. Use explicit check_{add,sub}_overflow() when[EOL]validating desc->addr (which is ``u64`` already).[EOL][EOL]bloat-o-meter reports a little growth of the code size:[EOL][EOL]add/remove: 0/0 grow/shrink: 2/1 up/down: 60/-16 (44)[EOL]Function old new delta[EOL]xskq_cons_peek_desc 299 330 +31[EOL]xsk_tx_peek_release_desc_batch 973 1002 +29[EOL]xsk_generic_xmit 3148 3132 -16[EOL][EOL]but hopefully this doesn't hurt the performance much.
