Linux Kernel ENETC Driver Buffer Leak Vulnerability on XDP Redirect Failure

A buffer leak vulnerability has been identified in the Linux kernel ENETC driver, specifically related to the handling of XDP (eXpress Data Path) redirects. When the function 'enetc_clean_rx_ring_xdp()' calls 'xdp_do_redirect()', each software buffer descriptor in the receive ring can have a page reference count of either 1 or 2. If the buffer's page reference count is 2, indicating that it is not reusable, the driver can inadvertently leak the page. This issue arises because the driver zeroes out the page reference before fully processing it, creating a scenario where an error in the XDP redirect can lead to a memory leak. The vulnerability allows for the systematic leaking of memory pages, which could degrade system performance over time.

Impact

Exploitation of this vulnerability leads to a memory leak, where allocated pages are not properly released back to the system. This can cause increased memory usage and potentially exhaust available memory resources, leading to performance degradation or system instability.

Reproduction

The vulnerability can be reproduced by configuring a network interface that uses the ENETC driver and applying an XDP program that performs redirects. When the XDP redirect operation fails, the driver will leak memory by not properly managing the page references, especially if the redirect failure occurs after the driver has already marked the page as reusable.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to a version that includes the fix, which is available in the Linux stable tree.