CVE-2022-50751

Summary

In the Linux kernel, the following vulnerability has been resolved:

configfs: fix possible memory leak in configfs_create_dir()

kmemleak reported memory leaks in configfs_create_dir():

unreferenced object 0xffff888009f6af00 (size 192): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) new_fragment (./include/linux/slab.h:600 fs/configfs/dir.c:163) configfs_register_subsystem (fs/configfs/dir.c:1857) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) …

unreferenced object 0xffff888003ba7180 (size 96): comm "modprobe", pid 3777, jiffies 4295537735 (age 233.784s) backtrace: kmem_cache_alloc (mm/slub.c:3250 mm/slub.c:3256 mm/slub.c:3263 mm/slub.c:3273) configfs_new_dirent (./include/linux/slab.h:723 fs/configfs/dir.c:194) configfs_make_dirent (fs/configfs/dir.c:248) configfs_create_dir (fs/configfs/dir.c:296) configfs_attach_group.isra.28 (fs/configfs/dir.c:816 fs/configfs/dir.c:852) configfs_register_subsystem (fs/configfs/dir.c:1881) basic_write (drivers/hwtracing/stm/p_basic.c:14) stm_p_basic do_one_initcall (init/main.c:1296) do_init_module (kernel/module/main.c:2455) …

This is because the refcount is not correct in configfs_make_dirent(). For normal stage, the refcount is changing as:

configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() configfs_new_dirent() # set s_count = 1 dentry->d_fsdata = configfs_get(sd); # s_count = 2 … configfs_unregister_subsystem() configfs_remove_dir() remove_dir() configfs_remove_dirent() # s_count = 1 dput() … dentry_unlink_inode() configfs_d_iput() # s_count = 0, release

However, if we failed in configfs_create():

configfs_register_subsystem() configfs_create_dir() configfs_make_dirent() # s_count = 2 … configfs_create() # fail ->out_remove: configfs_remove_dirent(dentry) configfs_put(sd) # s_count = 1 return PTR_ERR(inode);

There is no inode in the error path, so the configfs_d_iput() is lost and makes sd and fragment memory leaked.

To fix this, when we failed in configfs_create(), manually call configfs_put(sd) to keep the refcount correct.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux7063fbf2261194f72ee75afca67b3b38b554b5fa < 90c38f57a821499391526b15cc944c265bd24e48affected
LinuxLinux7063fbf2261194f72ee75afca67b3b38b554b5fa < 74ac7c9ee2d486c501e7864c903f5098fc477acdaffected
LinuxLinux7063fbf2261194f72ee75afca67b3b38b554b5fa < 07f82dca112262b169bec0001378126439cab776affected
LinuxLinux7063fbf2261194f72ee75afca67b3b38b554b5fa < 8bc77754224a2c8581727ffe2e958119b4e27c8faffected
LinuxLinux7063fbf2261194f72ee75afca67b3b38b554b5fa < c72eb6e6e49a71f7598740786568fafdd013a227affected
LinuxLinux7063fbf2261194f72ee75afca67b3b38b554b5fa < c65234b283a65cfbfc94619655e820a5e55199ebaffected
LinuxLinux2.6.16affected
LinuxLinux0 < 2.6.16unaffected
LinuxLinux5.4.229 <= 5.4.*unaffected
LinuxLinux5.10.163 <= 5.10.*unaffected
LinuxLinux5.15.86 <= 5.15.*unaffected
LinuxLinux6.0.16 <= 6.0.*unaffected
LinuxLinux6.1.2 <= 6.1.*unaffected
LinuxLinux6.2 <= *unaffected

Weaknesses

References