CVE-2021-47238
See a problem?- Source
- https://nvd.nist.gov/vuln/detail/CVE-2021-47238
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47238.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-47238
- Related
- Published
- 2024-05-21T15:15:13Z
- Modified
- 2024-09-18T01:00:21Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
net: ipv4: fix memory leak in ipmcadd1_src
BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ipmcadd1src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ipmcaddsrc+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ipmcsource+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] doipsetsockopt net/ipv4/ipsockglue.c:1294 [inline] [<0000000052cf19ed>] ipsetsockopt+0x114b/0x30c0 net/ipv4/ipsockglue.c:1423 [<00000000477edfbc>] rawsetsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] _syssetsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] _dosyssetsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] _sesyssetsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] _x64syssetsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] dosyscall64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entrySYSCALL64after_hwframe+0x44/0xae
In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ipmcclearsrc() in ipmcdestroydev() was removed, because it was also called in igmpv3cleardelrec().
Rough callgraph:
inetdevdestroy -> ipmcdestroydev -> igmpv3cleardelrec -> ipmcclearsrc -> RCUINITPOINTER(dev->ipptr, NULL)
However, ipmcclearsrc() called in igmpv3cleardelrec() doesn't release indev->mclist->sources. And RCUINITPOINTER() assigns the NULL to dev->ipptr. As a result, indev cannot be obtained through inetdevbyindex() and then indev->mclist->sources cannot be released by ipmcdel1src() in the sock_close. Rough call sequence goes like:
sockclose -> _sockrelease -> inetrelease -> ipmcdropsocket -> inetdevbyindex -> ipmcleavesrc -> ipmcdelsrc -> ipmcdel1src
So we still need to call ipmcclearsrc() in ipmcdestroydev() to free indev->mclist->sources.
- References
-
- https://git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422
- https://git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501
- https://git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758
- https://git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8
- https://git.kernel.org/stable/c/77de6ee73f54a9a89c0afa0bf4c53b239aa9953a
- https://git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf733caa076
- https://git.kernel.org/stable/c/d8e2973029b8b2ce477b564824431f3385c77083
- https://security-tracker.debian.org/tracker/CVE-2021-47238
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source