CVE-2024-56712

Summary

In the Linux kernel, the following vulnerability has been resolved:

udmabuf: fix memory leak on last export_udmabuf() error path

In export_udmabuf(), if dma_buf_fd() fails because the FD table is full, a dma_buf owning the udmabuf has already been created; but the error handling in udmabuf_create() will tear down the udmabuf without doing anything about the containing dma_buf.

This leaves a dma_buf in memory that contains a dangling pointer; though that doesn't seem to lead to anything bad except a memory leak.

Fix it by moving the dma_buf_fd() call out of export_udmabuf() so that we can give it different error handling.

Note that the shape of this code changed a lot in commit 5e72b2b41a21 ("udmabuf: convert udmabuf driver to use folios"); but the memory leak seems to have existed since the introduction of udmabuf.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxfbb0de795078190a9834b3409e4b009cfb18a6d4 < c9fc8428d4255c2128da9c4d5cd92e554d0150cfaffected
LinuxLinuxfbb0de795078190a9834b3409e4b009cfb18a6d4 < f49856f525acd5bef52ae28b7da2e001bbe7439eaffected
LinuxLinux4.20affected
LinuxLinux0 < 4.20unaffected
LinuxLinux6.12.7 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References