Ubuntu.comUB:CVE-2021-47238CVE-2021-47238
In the Linux kernel, the following vulnerability has been resolved: net:
ipv4: fix memory leak in ip_mc_add1_src BUG: memory leak unreferenced
object 0xffff888101bc4c00 (size 32): comm “syz-executor527”, pid 360,
jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 … 01 00 00 00 00 00 00 00
ac 14 14 bb 00 00 02 00 … backtrace: [<00000000f17c5244>]
kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc
include/linux/slab.h:688 [inline] [<00000000f17c5244>] ip_mc_add1_src
net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>]
ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>]
ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>]
do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [<0000000052cf19ed>]
ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
[<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
[<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae In commit
24803f38a5c0 (“igmp: do not remove igmp souce list info when set link
down”), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, because
it was also called in igmpv3_clear_delrec(). Rough callgraph:
inetdev_destroy -> ip_mc_destroy_dev -> igmpv3_clear_delrec ->
ip_mc_clear_src -> RCU_INIT_POINTER(dev->ip_ptr, NULL) However,
ip_mc_clear_src() called in igmpv3_clear_delrec() doesn’t release
in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the NULL to
dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released by
ip_mc_del1_src() in the sock_close. Rough call sequence goes like:
sock_close -> __sock_release -> inet_release -> ip_mc_drop_socket ->
inetdev_by_index -> ip_mc_leave_src -> ip_mc_del_src -> ip_mc_del1_src So
we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 18.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 23.10 | noarch | linux | < any | UNKNOWN |
| ubuntu | 24.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 14.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 16.04 | noarch | linux | < any | UNKNOWN |
| ubuntu | 18.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 20.04 | noarch | linux-aws | < any | UNKNOWN |
| ubuntu | 22.04 | noarch | linux-aws | < any | UNKNOWN |
References
git.kernel.org/linus/d8e2973029b8b2ce477b564824431f3385c77083 (5.13-rc7)
git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422
git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501
git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758
git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8
git.kernel.org/stable/c/77de6ee73f54a9a89c0afa0bf4c53b239aa9953a
git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf733caa076
git.kernel.org/stable/c/d8e2973029b8b2ce477b564824431f3385c77083
launchpad.net/bugs/cve/CVE-2021-47238
nvd.nist.gov/vuln/detail/CVE-2021-47238
security-tracker.debian.org/tracker/CVE-2021-47238
www.cve.org/CVERecord?id=CVE-2021-47238
Related
