CVE-2025-22058
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-22058
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-22058.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-22058
- Related
- Published
- 2025-04-16T15:15:59Z
- Modified
- 2025-05-30T01:05:20.978231Z
- Downstream
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
udp: Fix memory accounting leak.
Matt Dowling reported a weird UDP memory usage issue.
Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. Finally, it caused intermittent packet drops.
We can reproduce the issue with the script below [0]:
/proc/net/sockstat reports 0 pages
cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 0
Run the script till the report reaches 524,288
python3 test.py & sleep 5
cat /proc/net/sockstat | grep UDP:
UDP: inuse 3 mem 524288 <-- (INTMAX + 1) >> PAGESHIFT
Kill the socket and confirm the number never drops
pkill python3 && sleep 5
cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 524288
(necessary since v6.0) Trigger protomemorypcpu_drain()
python3 test.py & sleep 1 && pkill python3
The number doubles
cat /proc/net/sockstat | grep UDP:
UDP: inuse 1 mem 1048577
The application set INTMAX to SORCVBUF, which triggered an integer overflow in udprmemrelease().
When a socket is close()d, udpdestructcommon() purges its receive queue and sums up skb->truesize in the queue. This total is calculated and stored in a local unsigned integer variable.
The total size is then passed to udprmemrelease() to adjust memory accounting. However, because the function takes a signed integer argument, the total size can wrap around, causing an overflow.
Then, the released amount is calculated as follows:
1) Add size to sk->skforwardalloc. 2) Round down sk->skforwardalloc to the nearest lower multiple of PAGESIZE and assign it to amount. 3) Subtract amount from sk->skforwardalloc. 4) Pass amount >> PAGESHIFT to _skmemreduceallocated().
When the issue occurred, the total in udpdestructcommon() was 2147484480 (INTMAX + 833), which was cast to -2147482816 in udprmem_release().
At 1) sk->skforwardalloc is changed from 3264 to -2147479552, and 2) sets -2147479552 to amount. 3) reverts the wraparound, so we don't see a warning in inetsockdestruct(). However, udpmemoryallocated ends up doubling at 4).
Since commit 3cd3399dd7a8 ("net: implement per-cpu reserves for memoryallocated"), memory usage no longer doubles immediately after a socket is close()d because _skmemreduceallocated() caches the amount in udpmemorypercpufwalloc. However, the next time a UDP socket receives a packet, the subtraction takes effect, causing UDP memory usage to double.
This issue makes further memory allocation fail once the socket's sk->skrmemalloc exceeds net.ipv4.udprmemmin, resulting in packet drops.
To prevent this issue, let's use unsigned int for the calculation and call skforwardalloc_add() only once for the small delta.
Note that firstpacketlength() also potentially has the same problem.
SORCVBUFFORCE = 33 INTMAX = (2 ** 31) - 1
s = socket(AFINET, SOCKDGRAM) s.bind(('', 0)) s.setsockopt(SOLSOCKET, SORCVBUFFORCE, INT_MAX)
c = socket(AFINET, SOCKDGRAM) c.connect(s.getsockname())
data = b'a' * 100
while True: c.send(data)
- References
-
- https://git.kernel.org/stable/c/3836029448e76c1e6f77cc5fe0adc09b018b5fa8
- https://git.kernel.org/stable/c/9122fec396950cc866137af7154b1d0d989be52e
- https://git.kernel.org/stable/c/a116b271bf3cb72c8155b6b7f39083c1b80dcd00
- https://git.kernel.org/stable/c/aeef6456692c6f11ae53d278df64f1316a2a405a
- https://git.kernel.org/stable/c/c4bac6c398118fba79e32b1cd01db22dbfe29fbf
- https://git.kernel.org/stable/c/df207de9d9e7a4d92f8567e2c539d9c8c12fd99d
- https://security-tracker.debian.org/tracker/CVE-2025-22058
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affected
Affected versions
5.*
6.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.135-1
Affected versions
6.*
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.12.25-1
Affected versions
6.*
Debian:11 / linux-6.1
Package
- Name
- linux-6.1
- Purl
- pkg:deb/debian/linux-6.1?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.137-1~deb11u1