CVE-2021-47238 net: ipv4: fix memory leak in ip_mc_add1_src

2024-05-2114:19:39

Linux

www.cve.org

linux kernel

memory leak

ip_mc_add1_src

fix

6.3 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ip_mc_add1_src

BUG: memory leak
unreferenced object 0xffff888101bc4c00 (size 32):
comm “syz-executor527”, pid 360, jiffies 4294807421 (age 19.329s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 …
backtrace:
[<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
[<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
[<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
[<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
[<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
[<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
[<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
[<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
[<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae

In commit 24803f38a5c0 (“igmp: do not remove igmp souce list info when set
link down”), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
because it was also called in igmpv3_clear_delrec().

Rough callgraph:

inetdev_destroy
-> ip_mc_destroy_dev
-> igmpv3_clear_delrec
-> ip_mc_clear_src
-> RCU_INIT_POINTER(dev->ip_ptr, NULL)

However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn’t
release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released
by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:

sock_close
-> __sock_release
-> inet_release
-> ip_mc_drop_socket
-> inetdev_by_index
-> ip_mc_leave_src
-> ip_mc_del_src
-> ip_mc_del1_src

So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ipv4/igmp.c"
    ],
    "versions": [
      {
        "version": "24803f38a5c0",
        "lessThan": "0dc13e75507f",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "24803f38a5c0",
        "lessThan": "6cff57eea334",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "24803f38a5c0",
        "lessThan": "1e28018b5c83",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "24803f38a5c0",
        "lessThan": "3dd2aeac2e96",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "24803f38a5c0",
        "lessThan": "ac31cc837caf",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "24803f38a5c0",
        "lessThan": "77de6ee73f54",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "24803f38a5c0",
        "lessThan": "d8e2973029b8",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "net/ipv4/igmp.c"
    ],
    "versions": [
      {
        "version": "4.9",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "4.9",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.9.274",
        "lessThanOrEqual": "4.9.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.14.238",
        "lessThanOrEqual": "4.14.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "4.19.196",
        "lessThanOrEqual": "4.19.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.4.128",
        "lessThanOrEqual": "5.4.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.10.46",
        "lessThanOrEqual": "5.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.12.13",
        "lessThanOrEqual": "5.12.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "5.13",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]