CVE-2021-47231

2024-05-2115:15:12

416baaa9-dc9f-4396-8d5f-8c081fb06d67

web.nvd.nist.gov

linux kernel

memory leak

can bus

microchip

socketcan

vulnerability

usb driver

6.7 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

10.4%

JSON

In the Linux kernel, the following vulnerability has been resolved:

can: mcba_usb: fix memory leak in mcba_usb

Syzbot reported memory leak in SocketCAN driver for Microchip CAN BUS
Analyzer Tool. The problem was in unfreed usb_coherent.

In mcba_usb_start() 20 coherent buffers are allocated and there is
nothing, that frees them:

In callback function the urb is resubmitted and that’s all
In disconnect function urbs are simply killed, but URB_FREE_BUFFER
is not set (see mcba_usb_start) and this flag cannot be used with
coherent buffers.

Fail log:
| [ 1354.053291][ T8413] mcba_usb 1-1:0.0 can0: device disconnected
| [ 1367.059384][ T8420] kmemleak: 20 new suspected memory leaks (see /sys/kernel/debug/kmem)

So, all allocated buffers should be freed with usb_free_coherent()
explicitly

NOTE:
The same pattern for allocating and freeing coherent buffers
is used in drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c

Affected configurations

Vulners

Node

linuxlinux_kernelRange4.12–4.14.238

linuxlinux_kernelRange4.15.0–4.19.196

linuxlinux_kernelRange4.20.0–5.4.128

linuxlinux_kernelRange5.5.0–5.10.46

linuxlinux_kernelRange5.11.0–5.12.13

linuxlinux_kernelRange5.13.0≥

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/can/usb/mcba_usb.c"
    ],
    "versions": [
      {
        "version": "51f3baad7de9",
        "lessThan": "89df95ce32be",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "51f3baad7de9",
        "lessThan": "a115198caaab",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "51f3baad7de9",
        "lessThan": "6f87c0e21ad2",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "51f3baad7de9",
        "lessThan": "6bd3d80d1f01",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "51f3baad7de9",
        "lessThan": "d0760a4ef856",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "51f3baad7de9",
        "lessThan": "91c02557174b",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "drivers/net/can/usb/mcba_usb.c"
    ],
    "versions": [
      {
        "version": "4.12",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.12",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.238",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.196",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.128",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.46",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.12.13",
        "lessThanOrEqual": "5.12.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]