CVE-2021-47238

{"id": "CVE-2021-47238", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:13.017", "references": [{"url": "https://git.kernel.org/stable/c/0dc13e75507faa17ac9f7562b4ef7bf8fcd78422", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/1e28018b5c83d5073f74a6fb72eabe8370b2f501", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3dd2aeac2e9624cff9fa634710837e4f2e352758", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/6cff57eea3347f79f1867cc53e1093b6614138d8", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/77de6ee73f54a9a89c0afa0bf4c53b239aa9953a", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ac31cc837cafb57a271babad8ccffbf733caa076", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d8e2973029b8b2ce477b564824431f3385c77083", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-400"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv4: fix memory leak in ip_mc_add1_src\n\nBUG: memory leak\nunreferenced object 0xffff888101bc4c00 (size 32):\n comm \"syz-executor527\", pid 360, jiffies 4294807421 (age 19.329s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................\n backtrace:\n [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]\n [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]\n [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]\n [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095\n [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416\n [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]\n [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423\n [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857\n [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117\n [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]\n [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]\n [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125\n [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47\n [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn commit 24803f38a5c0 (\"igmp: do not remove igmp souce list info when set\nlink down\"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,\nbecause it was also called in igmpv3_clear_delrec().\n\nRough callgraph:\n\ninetdev_destroy\n-> ip_mc_destroy_dev\n -> igmpv3_clear_delrec\n -> ip_mc_clear_src\n-> RCU_INIT_POINTER(dev->ip_ptr, NULL)\n\nHowever, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't\nrelease in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the\nNULL to dev->ip_ptr. As a result, in_dev cannot be obtained through\ninetdev_by_index() and then in_dev->mc_list->sources cannot be released\nby ip_mc_del1_src() in the sock_close. Rough call sequence goes like:\n\nsock_close\n-> __sock_release\n -> inet_release\n -> ip_mc_drop_socket\n -> inetdev_by_index\n -> ip_mc_leave_src\n -> ip_mc_del_src\n -> ip_mc_del1_src\n\nSo we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free\nin_dev->mc_list->sources."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ipv4: corrige la p\u00e9rdida de memoria en ip_mc_add1_src. BUG: p\u00e9rdida de memoria objeto sin referencia 0xffff888101bc4c00 (tama\u00f1o 32): comm \"syz-executor527\", pid 360, jiffies 4294807421 (edad 19.329s) volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [&lt;00000000f17c5244&gt;] kmalloc include/linux/slab.h:558 [en l\u00ednea] [&lt;00000000f17c5244&gt;] kzalloc include/ linux/slab.h:688 [en l\u00ednea] [&lt;00000000f17c5244&gt;] ip_mc_add1_src net/ipv4/igmp.c:1971 [en l\u00ednea] [&lt;00000000f17c5244&gt;] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 &lt;000000001cb99709 &gt;] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [&lt;0000000052cf19ed&gt;] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [en l\u00ednea] [&lt;0000000052cf19ed&gt;] 0net/ipv4/ip_sockglue. c:1423 [&lt;00000000477edfbc&gt;] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [&lt;00000000e75ca9bb&gt;] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [&lt;00000000bdb993 a8&gt;] __do_sys_setsockopt net/socket.c :2128 [en l\u00ednea] [&lt;00000000bdb993a8&gt;] __se_sys_setsockopt net/socket.c:2125 [en l\u00ednea] [&lt;00000000bdb993a8&gt;] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [&lt;000000006a 1ffdbd&gt;] do_syscall_64+0x40/0x80 arch/ x86/entry/common.c:47 [&lt;00000000b11467c4&gt;] Entry_SYSCALL_64_after_hwframe+0x44/0xae En la confirmaci\u00f3n 24803f38a5c0 (\"igmp: no eliminar la informaci\u00f3n de la lista de fuentes de igmp cuando se establece el enlace\"), se elimin\u00f3 ip_mc_clear_src() en ip_mc_destroy_dev() , porque tambi\u00e9n fue llamado en igmpv3_clear_delrec(). Gr\u00e1fico de llamada aproximado: inetdev_destroy -&gt; ip_mc_destroy_dev -&gt; igmpv3_clear_delrec -&gt; ip_mc_clear_src -&gt; RCU_INIT_POINTER(dev-&gt;ip_ptr, NULL) Sin embargo, ip_mc_clear_src() llamado en igmpv3_clear_delrec() no libera in_dev-&gt;mc_list-&gt;sources. Y RCU_INIT_POINTER() asigna NULL a dev-&gt;ip_ptr. Como resultado, in_dev no se puede obtener a trav\u00e9s de inetdev_by_index() y luego in_dev-&gt;mc_list-&gt;sources no se puede liberar mediante ip_mc_del1_src() en sock_close. La secuencia de llamada aproximada es as\u00ed: sock_close -&gt; __sock_release -&gt; inet_release -&gt; ip_mc_drop_socket -&gt; inetdev_by_index -&gt; ip_mc_leave_src -&gt; ip_mc_del_src -&gt; ip_mc_del1_src Entonces todav\u00eda necesitamos llamar a ip_mc_clear_src() en ip_mc_destroy_dev() para liberar in_dev-&gt;mc_list -&gt;fuentes ."}], "lastModified": "2024-07-03T01:37:26.920", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}