fkie_cve-2022-50483
Vulnerability from fkie_nvd
Published
2025-10-04 16:15
Modified
2025-10-06 14:56
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: net: enetc: avoid buffer leaks on xdp_do_redirect() failure Before enetc_clean_rx_ring_xdp() calls xdp_do_redirect(), each software BD in the RX ring between index orig_i and i can have one of 2 refcount values on its page. We are the owner of the current buffer that is being processed, so the refcount will be at least 1. If the current owner of the buffer at the diametrically opposed index in the RX ring (i.o.w, the other half of this page) has not yet called kfree(), this page's refcount could even be 2. enetc_page_reusable() in enetc_flip_rx_buff() tests for the page refcount against 1, and [ if it's 2 ] does not attempt to reuse it. But if enetc_flip_rx_buff() is put after the xdp_do_redirect() call, the page refcount can have one of 3 values. It can also be 0, if there is no owner of the other page half, and xdp_do_redirect() for this buffer ran so far that it triggered a flush of the devmap/cpumap bulk queue, and the consumers of those bulk queues also freed the buffer, all by the time xdp_do_redirect() returns the execution back to enetc. This is the reason why enetc_flip_rx_buff() is called before xdp_do_redirect(), but there is a big flaw with that reasoning: enetc_flip_rx_buff() will set rx_swbd->page = NULL on both sides of the enetc_page_reusable() branch, and if xdp_do_redirect() returns an error, we call enetc_xdp_free(), which does not deal gracefully with that. In fact, what happens is quite special. The page refcounts start as 1. enetc_flip_rx_buff() figures they're reusable, transfers these rx_swbd->page pointers to a different rx_swbd in enetc_reuse_page(), and bumps the refcount to 2. When xdp_do_redirect() later returns an error, we call the no-op enetc_xdp_free(), but we still haven't lost the reference to that page. A copy of it is still at rx_ring->next_to_alloc, but that has refcount 2 (and there are no concurrent owners of it in flight, to drop the refcount). What really kills the system is when we'll flip the rx_swbd->page the second time around. With an updated refcount of 2, the page will not be reusable and we'll really leak it. Then enetc_new_page() will have to allocate more pages, which will then eventually leak again on further errors from xdp_do_redirect(). The problem, summarized, is that we zeroize rx_swbd->page before we're completely done with it, and this makes it impossible for the error path to do something with it. Since the packet is potentially multi-buffer and therefore the rx_swbd->page is potentially an array, manual passing of the old pointers between enetc_flip_rx_buff() and enetc_xdp_free() is a bit difficult. For the sake of going with a simple solution, we accept the possibility of racing with xdp_do_redirect(), and we move the flip procedure to execute only on the redirect success path. By racing, I mean that the page may be deemed as not reusable by enetc (having a refcount of 0), but there will be no leak in that case, either. Once we accept that, we have something better to do with buffers on XDP_REDIRECT failure. Since we haven't performed half-page flipping yet, we won't, either (and this way, we can avoid enetc_xdp_free() completely, which gives the entire page to the slab allocator). Instead, we'll call enetc_xdp_drop(), which will recycle this half of the buffer back to the RX ring.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/306526331e7a37e714e11ab7c6d73eb004745224
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/628050ec952d2e2e46ec9fb6aa07e41139e030c8
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7fba523b51ccce5f7981f8a43ad84d664da68131
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bcf2c1dc5358dcf7e34a68cdb6b0bbf967801efa
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: enetc: avoid buffer leaks on xdp_do_redirect() failure\n\nBefore enetc_clean_rx_ring_xdp() calls xdp_do_redirect(), each software\nBD in the RX ring between index orig_i and i can have one of 2 refcount\nvalues on its page.\n\nWe are the owner of the current buffer that is being processed, so the\nrefcount will be at least 1.\n\nIf the current owner of the buffer at the diametrically opposed index\nin the RX ring (i.o.w, the other half of this page) has not yet called\nkfree(), this page\u0027s refcount could even be 2.\n\nenetc_page_reusable() in enetc_flip_rx_buff() tests for the page\nrefcount against 1, and [ if it\u0027s 2 ] does not attempt to reuse it.\n\nBut if enetc_flip_rx_buff() is put after the xdp_do_redirect() call,\nthe page refcount can have one of 3 values. It can also be 0, if there\nis no owner of the other page half, and xdp_do_redirect() for this\nbuffer ran so far that it triggered a flush of the devmap/cpumap bulk\nqueue, and the consumers of those bulk queues also freed the buffer,\nall by the time xdp_do_redirect() returns the execution back to enetc.\n\nThis is the reason why enetc_flip_rx_buff() is called before\nxdp_do_redirect(), but there is a big flaw with that reasoning:\nenetc_flip_rx_buff() will set rx_swbd-\u003epage = NULL on both sides of the\nenetc_page_reusable() branch, and if xdp_do_redirect() returns an error,\nwe call enetc_xdp_free(), which does not deal gracefully with that.\n\nIn fact, what happens is quite special. The page refcounts start as 1.\nenetc_flip_rx_buff() figures they\u0027re reusable, transfers these\nrx_swbd-\u003epage pointers to a different rx_swbd in enetc_reuse_page(), and\nbumps the refcount to 2. When xdp_do_redirect() later returns an error,\nwe call the no-op enetc_xdp_free(), but we still haven\u0027t lost the\nreference to that page. A copy of it is still at rx_ring-\u003enext_to_alloc,\nbut that has refcount 2 (and there are no concurrent owners of it in\nflight, to drop the refcount). What really kills the system is when\nwe\u0027ll flip the rx_swbd-\u003epage the second time around. With an updated\nrefcount of 2, the page will not be reusable and we\u0027ll really leak it.\nThen enetc_new_page() will have to allocate more pages, which will then\neventually leak again on further errors from xdp_do_redirect().\n\nThe problem, summarized, is that we zeroize rx_swbd-\u003epage before we\u0027re\ncompletely done with it, and this makes it impossible for the error path\nto do something with it.\n\nSince the packet is potentially multi-buffer and therefore the\nrx_swbd-\u003epage is potentially an array, manual passing of the old\npointers between enetc_flip_rx_buff() and enetc_xdp_free() is a bit\ndifficult.\n\nFor the sake of going with a simple solution, we accept the possibility\nof racing with xdp_do_redirect(), and we move the flip procedure to\nexecute only on the redirect success path. By racing, I mean that the\npage may be deemed as not reusable by enetc (having a refcount of 0),\nbut there will be no leak in that case, either.\n\nOnce we accept that, we have something better to do with buffers on\nXDP_REDIRECT failure. Since we haven\u0027t performed half-page flipping yet,\nwe won\u0027t, either (and this way, we can avoid enetc_xdp_free()\ncompletely, which gives the entire page to the slab allocator).\nInstead, we\u0027ll call enetc_xdp_drop(), which will recycle this half of\nthe buffer back to the RX ring."
    }
  ],
  "id": "CVE-2022-50483",
  "lastModified": "2025-10-06T14:56:47.823",
  "metrics": {},
  "published": "2025-10-04T16:15:45.093",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/306526331e7a37e714e11ab7c6d73eb004745224"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/628050ec952d2e2e46ec9fb6aa07e41139e030c8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/7fba523b51ccce5f7981f8a43ad84d664da68131"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "url": "https://git.kernel.org/stable/c/bcf2c1dc5358dcf7e34a68cdb6b0bbf967801efa"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Awaiting Analysis"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.