Wang Liang

Researcher fromHuawei
#21658of 53,634
11Total CVSS
Vulnerabilities · 2
Medium
2
PT-2025-3592
5.5
2024-12-19
Linux · Linux Kernel · CVE-2024-57841
**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** A memory leak has been resolved in the Linux kernel. The issue occurs when `inet csk reqsk queue hash add()` returns false in `tcp conn request()`, causing the function to return without freeing the allocated `dst` memory. This results in a memory leak. The `kmemleak` stack trace shows an unreferenced object, indicating the memory leak. To fix this issue, `dst release()` should be called to free the `dst` memory when `inet csk reqsk queue hash add()` returns false in `tcp conn request()`. **Recommendations** Update to Linux kernel version 6.6.74 or later to resolve the memory leak issue. As a temporary workaround, consider implementing a custom solution to call `dst release()` when `inet csk reqsk queue hash add()` returns false in `tcp conn request()`, until an official patch is available.
PT-2024-34090
5.5
2024-10-23
Linux · Linux Kernel · CVE-2024-50258
Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.61 Description: A crash can occur in the Linux kernel when a small `gso max size` or `gso ipv4 max size` is configured, leading to an underflow in `sk dst gso max size()`. This underflow may trigger a BUG ON crash because `sk->sk gso max size` would be much bigger than device limits. The issue is related to the `tcp write xmit` function, where `tso segs` is calculated using `DIV ROUND UP(skb->len, mss now)`, which can result in a value of 0, triggering the BUG ON crash. A check for the minimum value of `gso max size` and `gso ipv4 max size` has been added to fix the issue. Recommendations: For Linux kernel versions prior to 6.6.61, update to version 6.6.61 or later to resolve the issue. As a temporary workaround, consider configuring a larger `gso max size` and `gso ipv4 max size` to avoid the underflow issue. Restrict access to the `tcp write xmit` function and related `tcp set skb tso segs` and `tcp skb pcount set` functions to minimize the risk of exploitation. Avoid using small values for `gso max size` and `gso ipv4 max size` until the issue is resolved.