{ "id": "CVE-2021-47237", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-05-21T15:15:12.930", "lastModified": "2024-12-30T19:05:28.320", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hamradio: fix memory leak in mkiss_close\n\nMy local syzbot instance hit memory leak in\nmkiss_open()[1]. The problem was in missing\nfree_netdev() in mkiss_close().\n\nIn mkiss_open() netdevice is allocated and then\nregistered, but in mkiss_close() netdevice was\nonly unregistered, but not freed.\n\nFail log:\n\nBUG: memory leak\nunreferenced object 0xffff8880281ba000 (size 4096):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0.............\n 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*............\n backtrace:\n [] kvmalloc_node+0x61/0xf0\n [] alloc_netdev_mqs+0x98/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880141a9a00 (size 96):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(....\n 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@..........\n backtrace:\n [] __hw_addr_create_ex+0x5b/0x310\n [] __hw_addr_add_ex+0x1f8/0x2b0\n [] dev_addr_init+0x10b/0x1f0\n [] alloc_netdev_mqs+0x13b/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff8880219bfc00 (size 512):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ff ...(............\n 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kvmalloc_node+0x61/0xf0\n [] alloc_netdev_mqs+0x777/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nBUG: memory leak\nunreferenced object 0xffff888029b2b200 (size 256):\n comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (age 17.660s)\n hex dump (first 32 bytes):\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n [] kvmalloc_node+0x61/0xf0\n [] alloc_netdev_mqs+0x912/0xe80\n [] mkiss_open+0xb2/0x6f0 [1]\n [] tty_ldisc_open+0x9b/0x110\n [] tty_set_ldisc+0x2e8/0x670\n [] tty_ioctl+0xda3/0x1440\n [] __x64_sys_ioctl+0x193/0x200\n [] do_syscall_64+0x3a/0xb0\n [] entry_SYSCALL_64_after_hwframe+0x44/0xae" }, { "lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: net: hamradio: corrige la p\u00e9rdida de memoria en mkiss_close. Mi instancia local de syzbot tuvo una p\u00e9rdida de memoria en mkiss_open()[1]. El problema estaba en que faltaba free_netdev() en mkiss_close(). En mkiss_open() el dispositivo de red se asigna y luego se registra, pero en mkiss_close() el dispositivo de red solo se anula del registro, pero no se libera. Registro de errores: ERROR: p\u00e9rdida de memoria, objeto sin referencia 0xffff8880281ba000 (tama\u00f1o 4096): comunicaci\u00f3n \"syz-executor.1\", pid 11443, santiam\u00e9n 4295046091 (edad 17,660 s) volcado hexadecimal (primeros 32 bytes): 61 78 30 00 00 00 00 00 00 00 00 00 00 00 00 00 ax0............. 00 27 fa 2a 80 88 ff ff 00 00 00 00 00 00 00 00 .'.*....... .... seguimiento: [] kvmalloc_node+0x61/0xf0 [] alloc_netdev_mqs+0x98/0xe80 [] mkiss_open+0xb2/0x6f0 [] tty_ldisc_open+0x9b/0x110 [ ] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] Entry_SYSCALL_64_after_hwframe+0x44/0xae ERROR : p\u00e9rdida de memoria objeto sin referencia 0xffff8880141a9a00 (tama\u00f1o 96): comm \"syz-executor.1\", pid 11443, jiffies 4295046091 (edad 17.660s) volcado hexadecimal (primeros 32 bytes): e8 a2 1b 28 80 88 ff ff e8 a2 1b 28 80 88 ff ff ...(.......(.... 98 92 9c aa b0 40 02 00 00 00 00 00 00 00 00 00 .....@....... .. seguimiento: [] __hw_addr_create_ex+0x5b/0x310 [] __hw_addr_add_ex+0x1f8/0x2b0 [] f0 [] alloc_netdev_mqs+0x13b/0xe80 [] mkiss_open +0xb2/0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] Entry_SYSCALL_64_after_hwframe+0x44/0xae ERROR: p\u00e9rdida de memoria objeto sin referencia 0xffff8880219bfc00 (tama\u00f1o 512): comm \"syz-executor.1\", pid 11443, jiffies 95046091 (edad 17.660 a\u00f1os) volcado hexadecimal (primeros 32 bytes): 00 a0 1b 28 80 88 ff ff 80 8f b1 8d ff ff ff ...(............ 80 8f b1 8d ff ff ff ff 00 00 00 00 00 00 00 00 ................ rastreo inverso: [] kvmalloc_node+0x61/0xf0 [] alloc_netdev_mqs+0x777/0xe80 [] mkiss_open+0xb2 /0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+0x3a/0xb0 [] Entry_SYSCALL_64_after_hwframe+0x44/0xae ERROR: p\u00e9rdida de memoria objeto sin referencia 0xffff888029b2b200 (tama\u00f1o 256): comm \"syz-executor.1\", pid 11443, jiffies 046091 (edad 17.660 a\u00f1os) volcado hexadecimal (primero 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ rastreo inverso: [] kvmalloc_node+0x61/0xf0 [] alloc_netdev_mqs+0x912/0xe80 [] mkiss_open+0xb2/0x6f0 [1] [] tty_ldisc_open+0x9b/0x110 [] tty_set_ldisc+0x2e8/0x670 [] tty_ioctl+0xda3/0x1440 [] __x64_sys_ioctl+0x193/0x200 [] do_syscall_64+ 0x3a/0xb0 [] entrada_SYSCALL_64_after_hwframe+0x44/0xae" } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "CWE-401" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.14", "versionEndExcluding": "4.4.274", "matchCriteriaId": "31B814DF-C8BD-4E58-9D36-9B770F38273B" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5", "versionEndExcluding": "4.9.274", "matchCriteriaId": "0A84D5BC-006F-41C5-A54D-6D45236009B3" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.10", "versionEndExcluding": "4.14.238", "matchCriteriaId": "C3C0DBBF-0923-4D2A-9178-134691F9933F" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.15", "versionEndExcluding": "4.19.196", "matchCriteriaId": "F3CAB837-7D38-4934-AD4F-195CEFD754E6" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.4.128", "matchCriteriaId": "6267BD4E-BE25-48B5-B850-4B493440DAFA" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.5", "versionEndExcluding": "5.10.46", "matchCriteriaId": "59455D13-A902-42E1-97F7-5ED579777193" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.12.13", "matchCriteriaId": "7806E7E5-6D4F-4E18-81C1-79B3C60EE855" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "0CBAD0FC-C281-4666-AB2F-F8E6E1165DF7" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc2:*:*:*:*:*:*", "matchCriteriaId": "96AC23B2-D46A-49D9-8203-8E1BEDCA8532" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc3:*:*:*:*:*:*", "matchCriteriaId": "DA610E30-717C-4700-9F77-A3C9244F3BFD" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc4:*:*:*:*:*:*", "matchCriteriaId": "1ECD33F5-85BE-430B-8F86-8D7BD560311D" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc5:*:*:*:*:*:*", "matchCriteriaId": "CF351855-2437-4CF5-AD7C-BDFA51F27683" }, { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:5.13:rc6:*:*:*:*:*:*", "matchCriteriaId": "25A855BA-2118-44F2-90EF-EBBB12AF51EF" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/290b0b6432e2599021db0b8d6046f756d931c29f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/3942d0f9ace1a95a74930b5b4fc0e5005c62b37b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/765a8a04f828db7222b36a42b1031f576bfe95c3", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/7edcc682301492380fbdd604b4516af5ae667a13", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/a49cbb762ef20655f5c91abdc13658b0af5e159d", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/c16c4716a1b5ba4f83c7e00da457cba06761f119", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/c634ba0b4159838ff45a60d3a0ace3b4118077a5", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/f4de2b43d13b7cf3ced9310e371b90c836dbd7cd", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/290b0b6432e2599021db0b8d6046f756d931c29f", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/3942d0f9ace1a95a74930b5b4fc0e5005c62b37b", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/765a8a04f828db7222b36a42b1031f576bfe95c3", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/7edcc682301492380fbdd604b4516af5ae667a13", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/a49cbb762ef20655f5c91abdc13658b0af5e159d", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/c16c4716a1b5ba4f83c7e00da457cba06761f119", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/c634ba0b4159838ff45a60d3a0ace3b4118077a5", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/f4de2b43d13b7cf3ced9310e371b90c836dbd7cd", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": [ "Patch" ] } ] }