CVE-2021-47488

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-47488
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-47488.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2021-47488
Related
Published
2024-05-22T09:15:10Z
Modified
2024-09-18T03:17:28.936466Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

cgroup: Fix memory leak caused by missing cgroupbpfoffline

When enabling CONFIGCGROUPBPF, kmemleak can be observed by running the command as below:

$mount -t cgroup -o none,name=foo cgroup cgroup/
$umount cgroup/

unreferenced object 0xc3585c40 (size 64): comm "mount", pid 425, jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... backtrace: [<e95a2f9e>] cgroupbpfinherit+0x44/0x24c [<1f03679c>] cgroupsetuproot+0x174/0x37c [<ed4b0ac5>] cgroup1gettree+0x2c0/0x4a0 [<f85b12fd>] vfsgettree+0x24/0x108 [<f55aec5c>] pathmount+0x384/0x988 [<e2d5e9cd>] domount+0x64/0x9c [<208c9cfe>] sysmount+0xfc/0x1f4 [<06dd06e0>] retfast_syscall+0x0/0x48 [<a8308cb3>] 0xbeb4daa8

This is because that since the commit 2b0d3d3e4fcf ("percpuref: reduce memory footprint of percpuref in fast path") rootcgrp->bpf.refcnt.data is allocated by the function percpurefinit in cgroupbpfinherit which is called by cgroupsetuproot when mounting, but not freed along with rootcgrp when umounting. Adding cgroupbpfoffline which calls percpurefkill to cgroupkillsb can free root_cgrp->bpf.refcnt.data in umount path.

This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroupbpf from cgroup itself"). A cgroupbpfoffline is needed to do a cleanup that frees the resources which are allocated by cgroupbpfinherit in cgroupsetup_root.

And inside cgroupbpfoffline, cgroupget() is at the beginning and cgroupput is at the end of cgroupbpfrelease which is called by cgroupbpfoffline. So cgroupbpfoffline can keep the balance of cgroup's refcount.

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.84-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.15.3-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}