CVE-2022-48809 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
net: fix a memleak when uncloning an skb dst and its metadata
When uncloning an skb dst and its associated metadata, a new dst+metadata is allocated and later replaces the old one in the skb. This is helpful to have a non-shared dst+metadata attached to a specific skb.
The issue is the uncloned dst+metadata is initialized with a refcount of 1, which is increased to 2 before attaching it to the skb. When tun_dst_unclone returns, the dst+metadata is only referenced from a single place (the skb) while its refcount is 2. Its refcount will never drop to 0 (when the skb is consumed), leading to a memory leak.
Fix this by removing the call to dst_hold in tun_dst_unclone, as the dst+metadata refcount is already 1.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/28/2024
The vulnerability described in CVE-2022-48809 represents a memory leak within the Linux kernel's networking subsystem that specifically affects the handling of socket buffer (skb) destination entries and their associated metadata. This issue occurs in the tunneling driver context where the kernel must manage the lifecycle of destination entries that are cloned and uncloned during network packet processing. The problem manifests when the tun_dst_unclone function processes destination entries that need to be separated from shared references, creating a scenario where memory management becomes inconsistent due to improper reference counting operations.
The technical flaw stems from the improper handling of reference counts during the uncloning process of destination entries in the networking stack. When the kernel unclones an skb destination and its associated metadata, it allocates a new dst+metadata structure and replaces the old one in the skb. The original implementation incorrectly increases the reference count from 1 to 2 before attaching the new structure to the skb, but fails to properly account for the fact that the new structure should only be referenced from a single location - the skb itself. This creates a scenario where the reference count remains at 2 even after the skb is consumed, preventing the kernel from properly freeing the allocated memory resources. This memory leak directly violates fundamental memory management principles and can accumulate over time, leading to system resource exhaustion.
The operational impact of this vulnerability extends beyond simple memory consumption issues, as it represents a potential denial of service vector that could degrade system performance or cause system instability. The memory leak affects the tunneling drivers within the Linux kernel, particularly those that handle virtual network interfaces such as TUN/TAP devices. When this vulnerability is exploited through sustained network traffic or repeated tunneling operations, the accumulated memory leaks can eventually lead to memory pressure that impacts other system processes and potentially causes kernel panics or system crashes. This vulnerability affects systems running Linux kernel versions where the fix has not been applied, particularly those implementing network tunneling functionality that relies on the affected dst_unclone mechanisms.
The fix for CVE-2022-48809 addresses the core reference counting error by removing the unnecessary dst_hold call within the tun_dst_unclone function. This modification ensures that the reference count of the destination entry and its metadata accurately reflects the actual number of references to the structure, preventing the artificial inflation that caused the memory leak. The solution aligns with standard kernel memory management practices and follows the principle of maintaining proper reference counting for all kernel objects. This fix directly relates to CWE-401 which addresses improper handling of memory allocation and deallocation, and it connects to ATT&CK technique T1499.001 which involves resource exhaustion through memory consumption. System administrators should prioritize applying this patch to all affected Linux systems, particularly those running network services that utilize tunneling capabilities, as the vulnerability represents a straightforward but impactful memory management issue that can accumulate and cause significant operational problems over time.