| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2025022622-CVE-2022-49661-c53c@gregkh>
Date: Wed, 26 Feb 2025 03:23:44 +0100
From: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
To: linux-cve-announce@...r.kernel.org
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: CVE-2022-49661: can: gs_usb: gs_usb_open/close(): fix memory leak
Description
===========
In the Linux kernel, the following vulnerability has been resolved:
can: gs_usb: gs_usb_open/close(): fix memory leak
The gs_usb driver appears to suffer from a malady common to many USB
CAN adapter drivers in that it performs usb_alloc_coherent() to
allocate a number of USB request blocks (URBs) for RX, and then later
relies on usb_kill_anchored_urbs() to free them, but this doesn't
actually free them. As a result, this may be leaking DMA memory that's
been used by the driver.
This commit is an adaptation of the techniques found in the esd_usb2
driver where a similar design pattern led to a memory leak. It
explicitly frees the RX URBs and their DMA memory via a call to
usb_free_coherent(). Since the RX URBs were allocated in the
gs_can_open(), we remove them in gs_can_close() rather than in the
disconnect function as was done in esd_usb2.
For more information, see the 928150fad41b ("can: esd_usb2: fix memory
leak").
The Linux kernel CVE team has assigned CVE-2022-49661 to this issue.
Affected and fixed versions
===========================
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.9.323 with commit 339fa9f80d3b94177a7a459c6d115d3b56007d5a
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.14.288 with commit c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 4.19.252 with commit d91492638b054f4a359621ef216242be5973ed6b
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.4.205 with commit 6f655b5e13fa4b27e915b6c209ac0da74fd75963
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.10.130 with commit d0b8e223998866b3e7b2895927d4e9689b0a80d8
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.15.54 with commit 0e60230bc64355c80abe993d1719fdb318094e20
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.18.11 with commit ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c
Issue introduced in 3.16 with commit d08e973a77d128b25e01a08c34d89593fdf222da and fixed in 5.19 with commit 2bda24ef95c0311ab93bda00db40486acf30bd0a
Please see https://www.kernel.org for a full list of currently supported
kernel versions by the kernel community.
Unaffected versions might change over time as fixes are backported to
older supported kernel versions. The official CVE entry at
https://cve.org/CVERecord/?id=CVE-2022-49661
will be updated if fixes are backported, please check that for the most
up to date information about this issue.
Affected files
==============
The file(s) affected by this issue are:
drivers/net/can/usb/gs_usb.c
Mitigation
==========
The Linux kernel CVE team recommends that you update to the latest
stable kernel version for this, and many other bugfixes. Individual
changes are never tested alone, but rather are part of a larger kernel
release. Cherry-picking individual commits is not recommended or
supported by the Linux kernel community at all. If however, updating to
the latest release is impossible, the individual changes to resolve this
issue can be found at these commits:
https://git.kernel.org/stable/c/339fa9f80d3b94177a7a459c6d115d3b56007d5a
https://git.kernel.org/stable/c/c1d806bc29ff7ffe0e2a023583c8720ed96cb0b0
https://git.kernel.org/stable/c/d91492638b054f4a359621ef216242be5973ed6b
https://git.kernel.org/stable/c/6f655b5e13fa4b27e915b6c209ac0da74fd75963
https://git.kernel.org/stable/c/d0b8e223998866b3e7b2895927d4e9689b0a80d8
https://git.kernel.org/stable/c/0e60230bc64355c80abe993d1719fdb318094e20
https://git.kernel.org/stable/c/ffb6cc6601ec7c8fa963dcf76025df4a02f2cf5c
https://git.kernel.org/stable/c/2bda24ef95c0311ab93bda00db40486acf30bd0a
Powered by blists - more mailing lists