Linux Kernel ESP TCP Encapsulation SKB Memory Leak Vulnerability

A memory leak vulnerability has been identified in the Linux kernel's handling of ESP (Encapsulating Security Payload) over TCP (Transmission Control Protocol) when using asynchronous cryptography. This issue arises in the 'espintcp' encapsulation, which is defined in RFC 8229. When the transmission queue for 'espintcp' is full, the function responsible for processing the ESP output will return an error without freeing the associated socket buffer (SKB). In scenarios where synchronous cryptography is used, the kernel can automatically drop the packet. However, with asynchronous cryptography, the error handling fails to properly manage the memory, leading to a leak.

Impact

Exploitation of this vulnerability causes a memory leak, where allocated memory is not properly released, potentially leading to increased memory usage and exhaustion over time.

Reproduction

The vulnerability can be reproduced by configuring a Linux system to use ESP over TCP with asynchronous cryptography. When the transmission queue becomes full, the 'esp_output_tail_tcp' function will return an error. In this case, the socket buffer is not freed, causing a memory leak. This behavior can be observed by monitoring memory usage during the transmission of ESP packets over TCP.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. The specific commit that resolves this issue is '0c0eef8ccd2413b0a10eb6bbd3442333b1e64dd2', which is included in the official Linux kernel repositories.