Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd416baaa9-dc9f-4396-8d5f-8c081fb06d67NVD:CVE-2021-47238
HistoryMay 21, 2024 - 3:15 p.m.

CVE-2021-47238

2024-05-2115:15:13
416baaa9-dc9f-4396-8d5f-8c081fb06d67
web.nvd.nist.gov
linux kernel
memory leak
network vulnerability
ip_mc_add1_src
commit 24803f38a5c0
igmpv3_clear_delrec
rcu_init_pointer
inetdev_destroy
ip_mc_destroy_dev
ip_mc_clear_src
in_dev->mc_list->sources
sock_close.

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ip_mc_add1_src

BUG: memory leak
unreferenced object 0xffff888101bc4c00 (size 32):
comm “syz-executor527”, pid 360, jiffies 4294807421 (age 19.329s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …
01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 …
backtrace:
[<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
[<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
[<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
[<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
[<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
[<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
[<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
[<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
[<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae

In commit 24803f38a5c0 (“igmp: do not remove igmp souce list info when set
link down”), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
because it was also called in igmpv3_clear_delrec().

Rough callgraph:

inetdev_destroy
-> ip_mc_destroy_dev
-> igmpv3_clear_delrec
-> ip_mc_clear_src
-> RCU_INIT_POINTER(dev->ip_ptr, NULL)

However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn’t
release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released
by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:

sock_close
-> __sock_release
-> inet_release
-> ip_mc_drop_socket
-> inetdev_by_index
-> ip_mc_leave_src
-> ip_mc_del_src
-> ip_mc_del1_src

So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.

Related

cve 1
debiancve 1
cvelist 1
ubuntucve 1
redhatcve 1
nessus 3
openvas 1
cve
cve
CVE-2021-47238
2024-05-21 15:15:13
debiancve
debiancve
CVE-2021-47238
2024-05-21 15:15:13
cvelist
cvelist
CVE-2021-47238 net: ipv4: fix memory leak in ip_mc_add1_src
2024-05-21 14:19:39
ubuntucve
ubuntucve
CVE-2021-47238
2024-05-21 00:00:00
redhatcve
redhatcve
CVE-2021-47238
2024-05-23 14:02:08
nessus
nessus
SUSE SLED12 / SLES12 Security Update : kernel (SUSE-SU-2024:2184-1)
2024-06-25 00:00:00
SUSE SLES12 Security Update : kernel (SUSE-SU-2024:1983-1)
2024-06-12 00:00:00
SUSE SLES12 Security Update : kernel (SUSE-SU-2024:1979-1)
2024-06-12 00:00:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2024:1979-1)
2024-06-12 00:00:00

6.4 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON
Related for NVD:CVE-2021-47238
cve1debiancve1cvelist1ubuntucve1redhatcve1nessus3openvas1