| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024052144-CVE-2021-47249-ed65@gregkh>
Date: Tue, 21 May 2024 16:20:03 +0200
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2021-47249: net: rds: fix memory leak in rds_recvmsg
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
net: rds: fix memory leak in rds_recvmsg
Syzbot reported memory leak in rds. The problem
was in unputted refcount in case of error.
int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
int msg_flags)
{
..
if (!rds_next_incoming(rs, &inc)) {
...
}
After this "if" inc refcount incremented and
if (rds_cmsg_recv(inc, msg, rs)) {
ret = -EFAULT;
goto out;
}
..
out:
return ret;
}
in case of rds_cmsg_recv() fail the refcount won't be
decremented. And it's easy to see from ftrace log, that
rds_inc_addref() don't have rds_inc_put() pair in
rds_recvmsg() after rds_cmsg_recv()
1) | rds_recvmsg() {
1) 3.721 us | rds_inc_addref();
1) 3.853 us | rds_message_inc_copy_to_user();
1) + 10.395 us | rds_cmsg_recv();
1) + 34.260 us | }
The Linux kernel CVE team has assigned CVE-2021-47249 to this issue.
Affected and fixed versions
===========================
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 4.4.274 with commit 8c3ec88b03e9
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 4.9.274 with commit 423c6939758f
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 4.14.238 with commit 1f79bc8ae81c
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 4.19.196 with commit 06b7cb0194bd
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 5.4.128 with commit 2038cd15eacd
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 5.10.46 with commit 5946fbf48355
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 5.12.13 with commit b25b60d07616
Issue introduced in 2.6.30 with commit bdbe6fbc6a2f and fixed in 5.13 with commit 49bfcbfd989a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2021-47249
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
net/rds/recv.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/8c3ec88b03e9e4ca117dcdc4204fd3edcd02084f
https://git.kernel.org/stable/c/423c6939758fb3b9cf5abbd1e7792068a5c4ae8c
https://git.kernel.org/stable/c/1f79bc8ae81c05eb112a53f981cb2c244ee50d02
https://git.kernel.org/stable/c/06b7cb0194bd1ede0dd27f3a946e7c0279fba44a
https://git.kernel.org/stable/c/2038cd15eacdf7512755c27686822e0052eb9042
https://git.kernel.org/stable/c/5946fbf48355f5a8caeff72580c7658da5966b86
https://git.kernel.org/stable/c/b25b60d076164edb3025e85aabd2cf50a5215b91
https://git.kernel.org/stable/c/49bfcbfd989a8f1f23e705759a6bb099de2cff9f
Powered by blists - more mailing lists