First published: Wed Feb 28 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send In emac_mac_tx_buf_send, it calls emac_tx_fill_tpd(..,skb,..). If some error happens in emac_tx_fill_tpd(), the skb will be freed via dev_kfree_skb(skb) in error branch of emac_tx_fill_tpd(). But the freed skb is still used via skb->len by netdev_sent_queue(,skb->len). As i observed that emac_tx_fill_tpd() haven't modified the value of skb->len, thus my patch assigns skb->len to 'len' before the possible free and use 'len' instead of skb->len later.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/kernel | <4.9.269 | 4.9.269 |
redhat/kernel | <4.14.233 | 4.14.233 |
redhat/kernel | <4.19.191 | 4.19.191 |
redhat/kernel | <5.4.119 | 5.4.119 |
redhat/kernel | <5.10.37 | 5.10.37 |
redhat/kernel | <5.11.21 | 5.11.21 |
redhat/kernel | <5.12.4 | 5.12.4 |
redhat/kernel | <5.13 | 5.13 |
Linux Linux kernel | >=4.9<4.9.269 | |
Linux Linux kernel | >=4.10<4.14.233 | |
Linux Linux kernel | >=4.15<4.19.191 | |
Linux Linux kernel | >=4.20<5.4.119 | |
Linux Linux kernel | >=5.5<5.10.37 | |
Linux Linux kernel | >=5.11<5.11.21 | |
Linux Linux kernel | >=5.12<5.12.4 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.