CVE-2021-47250

Summary

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in netlbl_cipsov4_add_std

Reported by syzkaller: BUG: memory leak unreferenced object 0xffff888105df7000 (size 64): comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace: [<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline] [<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline] [<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline] [<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416 [<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739 [<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] [<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800 [<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504 [<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811 [<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] [<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340 [<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929 [<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline] [<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674 [<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350 [<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404 [<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433 [<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47 [<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae

The memory of doi_def->map.std pointing is allocated in netlbl_cipsov4_add_std, but no place has freed it. It should be freed in cipso_v4_doi_free which frees the cipso DOI resource.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < 212166510582631994be4f4b3fe15e10a03c1dd4affected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < 086e92b1d68c6338535f715aad173f8cf4bfbc8caffected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < 6dcea66d3bb519b426282588f38e884e07893c1faffected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < 5340858147e3dc60913fb3dd0cbb758ec4a26e66affected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < 398a24447eb60f060c8994221cb5ae6caf355fa1affected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < deeeb65c6ee404f2d1fb80b38b2730645c0f4663affected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < 0ffb460be3abac86f884a8c548bb02724ec370f4affected
LinuxLinux96cb8e3313c7a12e026c1ed510522ae6f6023875 < d612c3f3fae221e7ea736d196581c2217304bbbcaffected
LinuxLinux2.6.19affected
LinuxLinux0 < 2.6.19unaffected
LinuxLinux4.4.274 <= 4.4.*unaffected
LinuxLinux4.9.274 <= 4.9.*unaffected
LinuxLinux4.14.238 <= 4.14.*unaffected
LinuxLinux4.19.196 <= 4.19.*unaffected
LinuxLinux5.4.128 <= 5.4.*unaffected
LinuxLinux5.10.46 <= 5.10.*unaffected
LinuxLinux5.12.13 <= 5.12.*unaffected
LinuxLinux5.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References