CVE-2021-47238

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2021-47238
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47238.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-47238
Downstream
Related
Published
2024-05-21T15:15:13.017Z
Modified
2026-03-13T05:20:37.602875Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ipmcadd1_src

BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ipmcadd1src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ipmcaddsrc+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ipmcsource+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] doipsetsockopt net/ipv4/ipsockglue.c:1294 [inline] [<0000000052cf19ed>] ipsetsockopt+0x114b/0x30c0 net/ipv4/ipsockglue.c:1423 [<00000000477edfbc>] rawsetsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] __dosyssetsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] __sesyssetsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] __x64syssetsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] dosyscall64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entrySYSCALL64afterhwframe+0x44/0xae

In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ipmcclearsrc() in ipmcdestroydev() was removed, because it was also called in igmpv3cleardelrec().

Rough callgraph:

inetdevdestroy -> ipmcdestroydev -> igmpv3cleardelrec -> ipmcclearsrc -> RCUINITPOINTER(dev->ipptr, NULL)

However, ipmcclearsrc() called in igmpv3cleardelrec() doesn't release indev->mclist->sources. And RCUINITPOINTER() assigns the NULL to dev->ipptr. As a result, indev cannot be obtained through inetdevbyindex() and then indev->mclist->sources cannot be released by ipmcdel1src() in the sock_close. Rough call sequence goes like:

sock_close -> __sockrelease -> inetrelease -> ipmcdropsocket -> inetdevbyindex -> ipmcleavesrc -> ipmcdelsrc -> ipmcdel1src

So we still need to call ipmcclearsrc() in ipmcdestroydev() to free indev->mclist->sources.

References

Affected packages

Git /

Affected ranges

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "3.2.87"
            },
            {
                "fixed": "3.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.16.42"
            },
            {
                "fixed": "3.17"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.9"
            },
            {
                "fixed": "4.9.274"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.10"
            },
            {
                "fixed": "4.14.238"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.15"
            },
            {
                "fixed": "4.19.196"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "4.20"
            },
            {
                "fixed": "5.4.128"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "5.5"
            },
            {
                "fixed": "5.10.46"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "5.11"
            },
            {
                "fixed": "5.12.13"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.13-rc1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.13-rc2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.13-rc3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.13-rc4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.13-rc5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.13-rc6"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-47238.json"