CVE-2021-47238

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47238
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47238.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47238
Related
Published
2024-05-21T15:15:13Z
Modified
2024-09-18T01:00:21Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ipmcadd1_src

BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ipmcadd1src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ipmcaddsrc+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ipmcsource+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] doipsetsockopt net/ipv4/ipsockglue.c:1294 [inline] [<0000000052cf19ed>] ipsetsockopt+0x114b/0x30c0 net/ipv4/ipsockglue.c:1423 [<00000000477edfbc>] rawsetsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] _syssetsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] _dosyssetsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] _sesyssetsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] _x64syssetsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] dosyscall64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entrySYSCALL64after_hwframe+0x44/0xae

In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ipmcclearsrc() in ipmcdestroydev() was removed, because it was also called in igmpv3cleardelrec().

Rough callgraph:

inetdevdestroy -> ipmcdestroydev -> igmpv3cleardelrec -> ipmcclearsrc -> RCUINITPOINTER(dev->ipptr, NULL)

However, ipmcclearsrc() called in igmpv3cleardelrec() doesn't release indev->mclist->sources. And RCUINITPOINTER() assigns the NULL to dev->ipptr. As a result, indev cannot be obtained through inetdevbyindex() and then indev->mclist->sources cannot be released by ipmcdel1src() in the sock_close. Rough call sequence goes like:

sockclose -> _sockrelease -> inetrelease -> ipmcdropsocket -> inetdevbyindex -> ipmcleavesrc -> ipmcdelsrc -> ipmcdel1src

So we still need to call ipmcclearsrc() in ipmcdestroydev() to free indev->mclist->sources.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.46-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.46-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.46-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}