CVE-2024-56643

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-56643
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56643.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-56643
Downstream
Related
Published
2024-12-27T15:02:44.492Z
Modified
2026-05-28T03:53:49.502711845Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
Summary
dccp: Fix memory leak in dccp_feat_change_recv
Details

In the Linux kernel, the following vulnerability has been resolved:

dccp: Fix memory leak in dccpfeatchange_recv

If dccpfeatpushconfirm() fails after new value for SP feature was accepted without reconciliation ('entry == NULL' branch), memory allocated for that value with dccpfeatclonesp_val() is never freed.

Here is the kmemleak stack for this:

unreferenced object 0xffff88801d4ab488 (size 8): comm "syz-executor310", pid 1127, jiffies 4295085598 (age 41.666s) hex dump (first 8 bytes): 01 b4 4a 1d 80 88 ff ff ..J..... backtrace: [<00000000db7cabfe>] kmemdup+0x23/0x50 mm/util.c:128 [<0000000019b38405>] kmemdup include/linux/string.h:465 [inline] [<0000000019b38405>] dccpfeatclonespval net/dccp/feat.c:371 [inline] [<0000000019b38405>] dccpfeatclonespval net/dccp/feat.c:367 [inline] [<0000000019b38405>] dccpfeatchangerecv net/dccp/feat.c:1145 [inline] [<0000000019b38405>] dccpfeatparseoptions+0x1196/0x2180 net/dccp/feat.c:1416 [<00000000b1f6d94a>] dccpparseoptions+0xa2a/0x1260 net/dccp/options.c:125 [<0000000030d7b621>] dccprcvstateprocess+0x197/0x13d0 net/dccp/input.c:650 [<000000001f74c72e>] dccpv4dorcv+0xf9/0x1a0 net/dccp/ipv4.c:688 [<00000000a6c24128>] skbacklogrcv include/net/sock.h:1041 [inline] [<00000000a6c24128>] __releasesock+0x139/0x3b0 net/core/sock.c:2570 [<00000000cf1f3a53>] releasesock+0x54/0x1b0 net/core/sock.c:3111 [<000000008422fa23>] inetwaitforconnect net/ipv4/afinet.c:603 [inline] [<000000008422fa23>] __inetstreamconnect+0x5d0/0xf70 net/ipv4/afinet.c:696 [<0000000015b6f64d>] inetstreamconnect+0x53/0xa0 net/ipv4/afinet.c:735 [<0000000010122488>] __sysconnectfile+0x15c/0x1a0 net/socket.c:1865 [<00000000b4b70023>] __sys_connect+0x165/0x1a0 net/socket.c:1882 [<00000000f4cb3815>] __dosysconnect net/socket.c:1892 [inline] [<00000000f4cb3815>] __sesysconnect net/socket.c:1889 [inline] [<00000000f4cb3815>] __x64sysconnect+0x6e/0xb0 net/socket.c:1889 [<00000000e7b1e839>] dosyscall64+0x33/0x40 arch/x86/entry/common.c:46 [<0000000055e91434>] entrySYSCALL64afterhwframe+0x67/0xd1

Clean up the allocated memory in case of dccpfeatpush_confirm() failure and bail out with an error reset code.

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56643.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
e77b8363b2ea7c0d89919547c1a8b0562f298b57
Fixed
623be080ab3c13d71570bd32f7202a8efa8e2252
Fixed
c99507fff94b926fc92279c92d80f229c91cb85d
Fixed
bc3d4423def1a9412a0ae454cb4477089ab79276
Fixed
6ff67909ee2ffad911e3122616df41dee23ff4f6
Fixed
d3ec686a369fae5034303061f003cd3f94ddfd23
Fixed
9ee68b0f23706a77f53c832457b9384178b76421
Fixed
22be4727a8f898442066bcac34f8a1ad0bc72e14

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56643.json"

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.29
Fixed
5.4.287
Type
ECOSYSTEM
Events
Introduced
5.5.0
Fixed
5.10.231
Type
ECOSYSTEM
Events
Introduced
5.11.0
Fixed
5.15.174
Type
ECOSYSTEM
Events
Introduced
5.16.0
Fixed
6.1.120
Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.66
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.12.5

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-56643.json"