ghsa-jv5x-8v9f-frx2
Vulnerability from github
Published
2024-05-21 15:31
Modified
2024-07-03 18:42
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ip_mc_add1_src

BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae

In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, because it was also called in igmpv3_clear_delrec().

Rough callgraph:

inetdev_destroy -> ip_mc_destroy_dev -> igmpv3_clear_delrec -> ip_mc_clear_src -> RCU_INIT_POINTER(dev->ip_ptr, NULL)

However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through inetdev_by_index() and then in_dev->mc_list->sources cannot be released by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:

sock_close -> __sock_release -> inet_release -> ip_mc_drop_socket -> inetdev_by_index -> ip_mc_leave_src -> ip_mc_del_src -> ip_mc_del1_src

So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free in_dev->mc_list->sources.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-21T15:15:13Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in ip_mc_add1_src\n\nBUG: memory leak\nunreferenced object 0xffff888101bc4c00 (size 32):\n  comm \"syz-executor527\", pid 360, jiffies 4294807421 (age 19.329s)\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n    01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................\n  backtrace:\n    [\u003c00000000f17c5244\u003e] kmalloc include/linux/slab.h:558 [inline]\n    [\u003c00000000f17c5244\u003e] kzalloc include/linux/slab.h:688 [inline]\n    [\u003c00000000f17c5244\u003e] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]\n    [\u003c00000000f17c5244\u003e] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095\n    [\u003c000000001cb99709\u003e] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416\n    [\u003c0000000052cf19ed\u003e] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]\n    [\u003c0000000052cf19ed\u003e] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423\n    [\u003c00000000477edfbc\u003e] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857\n    [\u003c00000000e75ca9bb\u003e] __sys_setsockopt+0x158/0x270 net/socket.c:2117\n    [\u003c00000000bdb993a8\u003e] __do_sys_setsockopt net/socket.c:2128 [inline]\n    [\u003c00000000bdb993a8\u003e] __se_sys_setsockopt net/socket.c:2125 [inline]\n    [\u003c00000000bdb993a8\u003e] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125\n    [\u003c000000006a1ffdbd\u003e] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47\n    [\u003c00000000b11467c4\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn commit 24803f38a5c0 (\"igmp: do not remove igmp souce list info when set\nlink down\"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,\nbecause it was also called in igmpv3_clear_delrec().\n\nRough callgraph:\n\ninetdev_destroy\n-\u003e ip_mc_destroy_dev\n     -\u003e igmpv3_clear_delrec\n        -\u003e ip_mc_clear_src\n-\u003e RCU_INIT_POINTER(dev-\u003eip_ptr, NULL)\n\nHowever, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn\u0027t\nrelease in_dev-\u003emc_list-\u003esources. And RCU_INIT_POINTER() assigns the\nNULL to dev-\u003eip_ptr. As a result, in_dev cannot be obtained through\ninetdev_by_index() and then in_dev-\u003emc_list-\u003esources cannot be released\nby ip_mc_del1_src() in the sock_close. Rough call sequence goes like:\n\nsock_close\n-\u003e __sock_release\n   -\u003e inet_release\n      -\u003e ip_mc_drop_socket\n         -\u003e inetdev_by_index\n         -\u003e ip_mc_leave_src\n            -\u003e ip_mc_del_src\n               -\u003e ip_mc_del1_src\n\nSo we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free\nin_dev-\u003emc_list-\u003esources.",
  "id": "GHSA-jv5x-8v9f-frx2",
  "modified": "2024-07-03T18:42:42Z",
  "published": "2024-05-21T15:31:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47238"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/77de6ee73f54a9a89c0afa0bf4c53b239aa9953a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf733caa076"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/d8e2973029b8b2ce477b564824431f3385c77083"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.