CRITICAL
stmmac Chain Mode Integer Underflow
CVE-2026-31649
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
KernelScan AI9.8CRITICAL
01Description
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix integer underflow in chain mode The jumbo_frm() chain-mode implementation unconditionally computes len = nopaged_len - bmax; where nopaged_len = skb_headlen(skb) (linear bytes only) and bmax is BUF_SIZE_8KiB or BUF_SIZE_2KiB. However, the caller stmmac_xmit() decides to invoke jumbo_frm() based on skb->len (total length including page fragments): is_jumbo = stmmac_is_jumbo_frm(priv, skb->len, enh_desc); When a packet has a small linear portion (nopaged_len <= bmax) but a large total length due to page fragments (skb->len > bmax), the subtraction wraps as an unsigned integer, producing a huge len value (~0xFFFFxxxx). This causes the while (len != 0) loop to execute hundreds of thousands of iterations, passing skb->data + bmax * i pointers far beyond the skb buffer to dma_map_single(). On IOMMU-less SoCs (the typical deployment for stmmac), this maps arbitrary kernel memory to the DMA engine, constituting a kernel memory disclosure and potential memory corruption from hardware. Fix this by introducing a buf_len local variable clamped to min(nopaged_len, bmax). Computing len = nopaged_len - buf_len is then always safe: it is zero when the linear portion fits within a single descriptor, causing the while (len != 0) loop to be skipped naturally, and the fragment loop in stmmac_xmit() handles page fragments afterward.
02KernelScan AI Analysis
Risk summary
A critical vulnerability in the stmmac Ethernet driver allows remote attackers to cause kernel memory disclosure and corruption by sending specially crafted fragmented network packets. When the driver processes packets with small linear portions but large total sizes, an integer underflow causes hundreds of thousands of loop iterations that map arbitrary kernel memory to the network hardware's DMA engine. This is particularly dangerous on typical ARM SoC deployments that lack IOMMUs, as it provides direct access to kernel memory contents and enables potential memory corruption attacks.
Vulnerability analysis
Root Cause: The jumbo_frm() function in chain mode unconditionally computes `len = nopaged_len - bmax` where nopaged_len is the linear portion of an skb and bmax is the buffer size (2KB or 8KB). When nopaged_len is smaller than bmax, this subtraction wraps around as an unsigned integer, creating a huge value (~0xFFFFxxxx). This occurs when a packet has a small linear portion but large total length due to page fragments, since the jumbo frame decision is based on total skb length but the computation uses only the linear portion.
Attack Surface: This vulnerability affects network packet processing in the stmmac Ethernet driver. It can be triggered by sending specially crafted network packets with small linear portions but large total lengths due to fragmentation. The attack surface includes any network interface using the stmmac driver in chain mode, which is common on ARM SoCs without IOMMUs. The vulnerability leads to kernel memory disclosure and potential corruption as arbitrary kernel memory gets mapped to the DMA engine.
Fix Mechanism: The patch introduces a buf_len variable that is clamped to min(nopaged_len, bmax), ensuring the first descriptor uses only the available linear data. The length calculation becomes len = nopaged_len - buf_len, which is always safe - it's zero when the linear portion fits in one descriptor (skipping the problematic loop) or a valid positive value otherwise. Page fragments are handled separately by the caller's fragment loop.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 5.10 | 5.10.253 | 513e06735f5b |
| 5.15 | 5.15.203 | 275bdf762e82 |
| 6.1 | 6.1.169 | a2b68a9a476b |
| 6.12 | 6.12.82 | 2c91b3991227 |
| 6.18 | 6.18.23 | 6fca757c2039 |
| 6.19 | 6.19.13 | 10d12b9240eb |
| 6.6 | 6.6.135 | b7b8012193fd |
| mainline | 7.0 | 51f4e090b9f8 |