CVE-2022-49871
- Source
- https://cve.org/CVERecord?id=CVE-2022-49871
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-49871.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2022-49871
- Downstream
- Related
- Published
- 2025-05-01T14:10:21.760Z
- Modified
- 2026-03-12T03:25:56.745401Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- net: tun: Fix memory leaks of napi_get_frags
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: tun: Fix memory leaks of napigetfrags
kmemleak reports after running test_progs:
unreferenced object 0xffff8881b1672dc0 (size 232): comm "testprogs", pid 394388, jiffies 4354712116 (age 841.975s) hex dump (first 32 bytes): e0 84 d7 a8 81 88 ff ff 80 2c 67 b1 81 88 ff ff .........,g..... 00 40 c5 9b 81 88 ff ff 00 00 00 00 00 00 00 00 .@.............. backtrace: [<00000000c8f01748>] napiskbcacheget+0xd4/0x150 [<0000000041c7fc09>] __napibuildskb+0x15/0x50 [<00000000431c7079>] __napiallocskb+0x26e/0x540 [<000000003ecfa30e>] napigetfrags+0x59/0x140 [<0000000099b2199e>] tungetuser+0x183d/0x3bb0 [tun] [<000000008a5adef0>] tunchrwriteiter+0xc0/0x1b1 [tun] [<0000000049993ff4>] doiterreadvwritev+0x19f/0x320 [<000000008f338ea2>] doiterwrite+0x135/0x630 [<000000008a3377a4>] vfswritev+0x12e/0x440 [<00000000a6b5639a>] dowritev+0x104/0x280 [<00000000ccf065d8>] dosyscall64+0x3b/0x90 [<00000000d776e329>] entrySYSCALL64afterhwframe+0x63/0xcd
The issue occurs in the following scenarios: tungetuser() napigrofrags() napifragsfinish() case GRONORMAL: gronormalone() listaddtail(&skb->list, &napi->rxlist); <-- While napi->rxcount < READONCE(gronormalbatch), <-- gronormallist() is not called, napi->rxlist is not empty <-- not ask to complete the gro work, will cause memory leaks in <-- following tunnapidel() ... tunnapidel() netifnapi_del() _netifnapidel() <-- &napi->rxlist is not empty, which caused memory leaks
To fix, add napicomplete() after napigro_frags().
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49871.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1118b2049d77ca0b505775fc1a8d1909cf19a7ec
- https://git.kernel.org/stable/c/223ef6a94e52331a6a7ef31e59921e0e82d2d40a
- https://git.kernel.org/stable/c/3401f964028ac941425b9b2c8ff8a022539ef44a
- https://git.kernel.org/stable/c/8b12a020b20a78f62bedc50f26db3bf4fadf8cb9
- https://git.kernel.org/stable/c/a4f73f6adc53fd7a3f9771cbc89a03ef39b0b755
- https://git.kernel.org/stable/c/d7569302a7a52a9305d2fb054df908ff985553bb
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/49xxx/CVE-2022-49871.json
- https://nvd.nist.gov/vuln/detail/CVE-2022-49871
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced90e33d45940793def6f773b2d528e9f3c84ffdc7Fixed223ef6a94e52331a6a7ef31e59921e0e82d2d40aFixeda4f73f6adc53fd7a3f9771cbc89a03ef39b0b755Fixed3401f964028ac941425b9b2c8ff8a022539ef44aFixedd7569302a7a52a9305d2fb054df908ff985553bbFixed8b12a020b20a78f62bedc50f26db3bf4fadf8cb9Fixed1118b2049d77ca0b505775fc1a8d1909cf19a7ec