CVE-2021-47119

ext4: fix memory leak in ext4_fill_super

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev();
otherwise the buffer head (and its page referenced by b_data) will not
be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and
page cache by using kill_bdev(). And then super block will be reread
again but using correct blocksize this time. sb_set_blocksize() didn't
fully free superblock page and buffer head, and being busy, they were
not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount ... since systemd creates a cgroup for each slice which it mounts, and
the bh leak get amplified by a dying memory cgroup that also never
gets freed, and memory consumption is much more easily noticed.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ext4: corrige la pérdida de memoria en ext4_fill_super Las referencias del encabezado del búfer deben liberarse antes de llamar a kill_bdev(); de lo contrario, kill_bdev no liberará el encabezado del búfer (y su página a la que hace referencia b_data) y, posteriormente, se filtrará ese bh. Si los tamaños de los bloques difieren, sb_set_blocksize() eliminará los búferes actuales y el caché de la página usando kill_bdev(). Y luego el superbloque se volverá a leer, pero esta vez utilizando el tamaño de bloque correcto. sb_set_blocksize() no liberó completamente la página del superbloque y el encabezado del búfer y, al estar ocupados, no se liberaron y en su lugar se filtraron. Esto se puede reproducir fácilmente llamando a un bucle infinito de: systemctl start .mount, y systemctl stop .mount... ya que systemd crea un cgroup para cada segmento que monta, y la fuga de bh se amplifica con un grupo de memoria moribundo que tampoco se libera nunca, y el consumo de memoria se nota mucho más fácilmente.

In the Linux kernel, the following vulnerability has been resolved: ext4: fix memory leak in ext4_fill_super Buffer head references must be released before calling kill_bdev(); otherwise the buffer head (and its page referenced by b_data) will not be freed by kill_bdev, and subsequently that bh will be leaked. If blocksizes differ, sb_set_blocksize() will kill current buffers and page cache by using kill_bdev(). And then super block will be reread again but using correct blocksize this time. sb_set_blocksize() didn't fully free superblock page and buffer head, and being busy, they were not freed and instead leaked. This can easily be reproduced by calling an infinite loop of: systemctl start <ext4_on_lvm>.mount, and systemctl stop <ext4_on_lvm>.mount ... since systemd creates a cgroup for each slice which it mounts, and the bh leak get amplified by a dying memory cgroup that also never gets freed, and memory consumption is much more easily noticed.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-04 CVE Reserved
2024-03-15 CVE Published
2024-12-19 CVE Updated
2025-03-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/ac27a0ec112a089f1a5102bc8dffc79c8c815571	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/01d349a481f0591230300a9171330136f9159bcd	2021-06-10
https://git.kernel.org/stable/c/1385b23396d511d5233b8b921ac3058b3f86a5e1	2021-06-10
https://git.kernel.org/stable/c/afd09b617db3786b6ef3dc43e28fe728cfea84df	2021-06-06

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.19 < 5.10.43 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.19 < 5.10.43"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.19 < 5.12.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.19 < 5.12.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 2.6.19 < 5.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 2.6.19 < 5.13"		en		Affected