In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b ("bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN"), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 ("bpf: introduce frags support to bpf_prog_test_run_xdp()") forgot to call xdp_convert_buff_to_md().
Se ha resuelto la siguiente vulnerabilidad en el kernel de Linux: bpf: Corregir fuga de contador de referencias en bpf_prog_test_run_xdp() syzbot está reportando unregister_netdevice: esperando que sit0 quede libre. Recuento de uso = 2 problema. Un parche de depuración printk() encontró que se obtiene un contador de referencias en xdp_convert_md_to_buff() desde bpf_prog_test_run_xdp(). Según el commit ec94670fcb3b ('bpf: Soporte para especificar el ingreso a través del contexto xdp_md en BPF_PROG_TEST_RUN'), el contador de referencias obtenido por xdp_convert_md_to_buff() será liberado por xdp_convert_buff_to_md(). Por lo tanto, podemos considerar que la ruta de manejo de errores introducida por el commit 1c1949982524 ('bpf: introducir soporte de fragmentos en bpf_prog_test_run_xdp()') olvidó llamar a xdp_convert_buff_to_md().
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
| Attack Vector | LOCAL |
|---|---|
| Attack Complexity | LOW |
| Privileges Required | LOW |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | NONE |
| Integrity Impact | NONE |
| Availability Impact | HIGH |
| Source | Type | Description |
|---|---|---|
| [email protected] | Primary |
en
NVD-CWE-Other
|
| Vendor | Product | Version | Update | Type |
|---|---|---|---|---|
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcab47e80> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bdd9a3880> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcab45b00> | Operating System |
| linux | linux_kernel | * | <built-in method update of dict object at 0x702bcab47080> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcab44f80> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcab45580> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bcab46580> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702ba6c50d40> | Operating System |
| linux | linux_kernel | 6.19 | <built-in method update of dict object at 0x702bdd9a1c80> | Operating System |
| Vulnerable | CPE |
|---|---|
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc1:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc2:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc3:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc4:*:*:*:*:*:* |
| Yes | cpe:2.3:o:linux:linux_kernel:6.19:rc5:*:*:*:*:*:* |