Linux Kernel Page Leak Vulnerability in TUN/TAP Driver via Short Frame Rejection

A memory leak vulnerability has been identified in the Linux kernel's TUN/TAP networking driver, specifically within the 'tun_xdp_one()' function. This issue arises when the function processes frames shorter than the Ethernet header length. In such cases, 'tun_xdp_one()' returns an error code without releasing the memory page allocated by 'vhost_net_build_xdp()'. The 'tun_sendmsg()' function ignores this error and continues to report the total length, leading the 'vhost_tx_batch()' function to assume success and neglect memory cleanup. As a result, each short frame in a transmission batch causes a memory leak, with a tight submission loop potentially exhausting system memory and causing an out-of-memory panic. This vulnerability can be exploited by a local process with access to '/dev/net/tun' and '/dev/vhost-net', by attaching a TUN/TAP device as the vhost-net backend and sending transmission descriptors with lengths below the Ethernet header requirement.

Impact

Exploitation of this vulnerability leads to a memory leak, where each short frame in a batch causes a page-fragment chunk to be unreleased, potentially exhausting system memory and triggering an out-of-memory panic.

Reproduction

To reproduce this vulnerability, a local process must open '/dev/net/tun' and '/dev/vhost-net'. The process can then attach a TUN/TAP device as the vhost-net backend and send transmission descriptors with lengths that exclude the virtio-net header and fall below the Ethernet header length. This will cause the 'tun_xdp_one()' function to reject the frames, leading to a memory leak with each transmission.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version available in the Linux kernel stable tree.