In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error routes (e.g., blackhole) when it is called as part of network namespace dismantle (i.e., with flush_all=true). Therefore, error routes are not flushed when their nexthop object is deleted: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 As such, they keep holding a reference on the nexthop object which in turn holds a reference on the nexthop device, resulting in a reference count leak: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Fix by flushing error routes when their nexthop is marked as dead. IPv6 does not suffer from this problem.
En el kernel de Linux, la siguiente vulnerabilidad ha sido resuelta: ipv4: Corrección de fuga de contador de referencias al usar rutas de error con objetos nexthop Cuando un objeto nexthop es eliminado, es marcado como muerto y luego se llama a fib_table_flush() para vaciar todas las rutas que están usando el nexthop muerto. La lógica actual en fib_table_flush() es vaciar solo las rutas de error (p. ej., blackhole) cuando se llama como parte del desmantelamiento de un espacio de nombres de red (es decir, con flush_all=true). Por lo tanto, las rutas de error no se vacían cuando su objeto nexthop es eliminado: # ip link add name dummy1 up type dummy # ip nexthop add id 1 dev dummy1 # ip route add 198.51.100.1/32 nhid 1 # ip route add blackhole 198.51.100.2/32 nhid 1 # ip nexthop del id 1 # ip route show blackhole 198.51.100.2 nhid 1 dev dummy1 Como tal, siguen manteniendo una referencia en el objeto nexthop que a su vez mantiene una referencia en el dispositivo nexthop, lo que resulta en una fuga de contador de referencias: # ip link del dev dummy1 [ 70.516258] unregister_netdevice: waiting for dummy1 to become free. Usage count = 2 Corrección vaciando las rutas de error cuando su nexthop es marcado como muerto. IPv6 no sufre de este problema.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-Other
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702b8052d380> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67d100> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd67eb80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc1dd600> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc337300> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bfc334240> | Operating System |
| linux | linux_kernel | 5.3 | <built-in method update of dict object at 0x702b80e2e880> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67c380> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b8344d300> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bde235fc0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd2f0600> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bfc3360c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd67d6c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdcc5a1c0> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702b80e2c740> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:5.3:-:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc6:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc7:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc8:*:*:*:*:*:* |