Description |
- |
In the Linux kernel before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c |
+ |
In the Linux kernel 5.17 before 5.17.1, a refcount leak bug was found in net/llc/af_llc.c, if it finds an ARPHRD_ETHER type net device, it will hold the device's refcount, but doesn't release the device if it fails to find a usable sap later. If llc_ui_bind() is called on a socket multiple times and provided with a used sllc_sap each time, the device's refcount will be increased unexpectedly, and the device cannot be removed then. An attacker can leverage this flaw to trigger an integer overflow on the device's refcount and eventually lead to a use-after-free bug. The function llc_ui_autobind() has the same issue. |
|