vulnerability

SUSE: CVE-2021-47238: SUSE Linux Security Advisory

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
5	(AV:L/AC:L/Au:S/C:N/I:N/A:C)	05/21/2024	08/09/2024	02/18/2025

Severity

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

05/21/2024

Added

08/09/2024

Modified

02/18/2025

Description

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ip_mc_add1_src

BUG: memory leak
unreferenced object 0xffff888101bc4c00 (size 32):
comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
backtrace:
[] kmalloc include/linux/slab.h:558 [inline]
[] kzalloc include/linux/slab.h:688 [inline]
[] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
[] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
[] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
[] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
[] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[] __do_sys_setsockopt net/socket.c:2128 [inline]
[] __se_sys_setsockopt net/socket.c:2125 [inline]
[] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[] entry_SYSCALL_64_after_hwframe+0x44/0xae

In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
because it was also called in igmpv3_clear_delrec().

Rough callgraph:

inetdev_destroy
-> ip_mc_destroy_dev
-> igmpv3_clear_delrec
-> ip_mc_clear_src
-> RCU_INIT_POINTER(dev->ip_ptr, NULL)

However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released
by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:

sock_close
-> __sock_release
-> inet_release
-> ip_mc_drop_socket
-> inetdev_by_index
-> ip_mc_leave_src
-> ip_mc_del_src
-> ip_mc_del1_src

So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.

Solution(s)

suse-upgrade-kernel-azuresuse-upgrade-kernel-azure-basesuse-upgrade-kernel-azure-develsuse-upgrade-kernel-defaultsuse-upgrade-kernel-default-basesuse-upgrade-kernel-default-develsuse-upgrade-kernel-default-extrasuse-upgrade-kernel-default-mansuse-upgrade-kernel-develsuse-upgrade-kernel-devel-azuresuse-upgrade-kernel-docssuse-upgrade-kernel-macrossuse-upgrade-kernel-obs-buildsuse-upgrade-kernel-sourcesuse-upgrade-kernel-source-azuresuse-upgrade-kernel-symssuse-upgrade-kernel-syms-azure

References

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today