First published: Mon Jul 03 2023(Updated: )
A use-after-free flaw was found in vmxnet3_rq_alloc_rx_buf in drivers/net/vmxnet3/vmxnet3_drv.c in VMware's vmxnet3 ethernet NIC driver in the Linux Kernel. This flaw could allow a local attacker to crash the system due to a double free while cleanup at vmxnet3_rq_cleanup_all. This vulnerability could even lead to a kernel information leak problem. In vmxnet3_rq_alloc_rx_buf(), when dma_map_single() fails, rbi->skb is freed immediately. Similarly, in another branch, when dma_map_page() fails, rbi->page is also freed. In the two cases, vmxnet3_rq_alloc_rx_buf() returns an error to its callers vmxnet3_rq_init() -> vmxnet3_rq_init_all() -> vmxnet3_activate_dev(). Then vmxnet3_activate_dev() calls vmxnet3_rq_cleanup_all() in error handling code, and rbi->skb or rbi->page are freed again in vmxnet3_rq_cleanup_all(), causing use-after-free bugs. References: <a href="https://github.com/torvalds/linux/commit/9e7fef9521e73ca8afd7da9e58c14654b02dfad8">https://github.com/torvalds/linux/commit/9e7fef9521e73ca8afd7da9e58c14654b02dfad8</a>
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Linux Linux kernel | <5.18 | |
Redhat Enterprise Linux | =6.0 | |
Redhat Enterprise Linux | =7.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
redhat/Kernel | <5.18 | 5.18 |
Linux Linux kernel | >=3.16.60<3.17 | |
Linux Linux kernel | >=4.4<4.9.316 | |
Linux Linux kernel | >=4.10<4.14.281 | |
Linux Linux kernel | >=4.15<4.19.245 | |
Linux Linux kernel | >=4.20<5.4.196 | |
Linux Linux kernel | >=5.5<5.10.118 | |
Linux Linux kernel | >=5.11<5.15.42 | |
Linux Linux kernel | >=5.16<5.17.10 | |
debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.119-1 6.12.5-1 6.12.6-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.