CVE-2021-46998 ethernet:enic: Fix a use after free bug in enic_hard_start_xmit

2024-02-2808:13:21

Linux

github.com

linux kernel

vulnerability

ethernet

enic

use after free

enic_hard_start_xmit

enic_queue_wq_skb

dev_kfree_skb

skb_tx_timestamp

error handling

AI Score

6.8

Confidence

Low

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

In the Linux kernel, the following vulnerability has been resolved:

ethernet:enic: Fix a use after free bug in enic_hard_start_xmit

In enic_hard_start_xmit, it calls enic_queue_wq_skb(). Inside
enic_queue_wq_skb, if some error happens, the skb will be freed
by dev_kfree_skb(skb). But the freed skb is still used in
skb_tx_timestamp(skb).

My patch makes enic_queue_wq_skb() return error and goto spin_unlock()
incase of error. The solution is provided by Govind.
See https://lkml.org/lkml/2021/4/30/961.