// For flags

CVE-2021-47238

net: ipv4: fix memory leak in ip_mc_add1_src

Severity Score

5.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

In the Linux kernel, the following vulnerability has been resolved:

net: ipv4: fix memory leak in ip_mc_add1_src

BUG: memory leak
unreferenced object 0xffff888101bc4c00 (size 32):
comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
backtrace:
[<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
[<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
[<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
[<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
[<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
[<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
[<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
[<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
[<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae

In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
because it was also called in igmpv3_clear_delrec().

Rough callgraph:

inetdev_destroy
-> ip_mc_destroy_dev
-> igmpv3_clear_delrec
-> ip_mc_clear_src
-> RCU_INIT_POINTER(dev->ip_ptr, NULL)

However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released
by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:

sock_close
-> __sock_release
-> inet_release
-> ip_mc_drop_socket
-> inetdev_by_index
-> ip_mc_leave_src
-> ip_mc_del_src
-> ip_mc_del1_src

So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ipv4: corrige la pérdida de memoria en ip_mc_add1_src. BUG: pérdida de memoria objeto sin referencia 0xffff888101bc4c00 (tamaño 32): comm "syz-executor527", pid 360, jiffies 4294807421 (edad 19.329s) volcado hexadecimal (primeros 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [&lt;00000000f17c5244&gt;] kmalloc include/linux/slab.h:558 [en línea] [&lt;00000000f17c5244&gt;] kzalloc include/ linux/slab.h:688 [en línea] [&lt;00000000f17c5244&gt;] ip_mc_add1_src net/ipv4/igmp.c:1971 [en línea] [&lt;00000000f17c5244&gt;] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 &lt;000000001cb99709 &gt;] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [&lt;0000000052cf19ed&gt;] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [en línea] [&lt;0000000052cf19ed&gt;] 0net/ipv4/ip_sockglue. c:1423 [&lt;00000000477edfbc&gt;] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [&lt;00000000e75ca9bb&gt;] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [&lt;00000000bdb993 a8&gt;] __do_sys_setsockopt net/socket.c :2128 [en línea] [&lt;00000000bdb993a8&gt;] __se_sys_setsockopt net/socket.c:2125 [en línea] [&lt;00000000bdb993a8&gt;] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [&lt;000000006a 1ffdbd&gt;] do_syscall_64+0x40/0x80 arch/ x86/entry/common.c:47 [&lt;00000000b11467c4&gt;] Entry_SYSCALL_64_after_hwframe+0x44/0xae En la confirmación 24803f38a5c0 ("igmp: no eliminar la información de la lista de fuentes de igmp cuando se establece el enlace"), se eliminó ip_mc_clear_src() en ip_mc_destroy_dev() , porque también fue llamado en igmpv3_clear_delrec(). Gráfico de llamada aproximado: inetdev_destroy -&gt; ip_mc_destroy_dev -&gt; igmpv3_clear_delrec -&gt; ip_mc_clear_src -&gt; RCU_INIT_POINTER(dev-&gt;ip_ptr, NULL) Sin embargo, ip_mc_clear_src() llamado en igmpv3_clear_delrec() no libera in_dev-&gt;mc_list-&gt;sources. Y RCU_INIT_POINTER() asigna NULL a dev-&gt;ip_ptr. Como resultado, in_dev no se puede obtener a través de inetdev_by_index() y luego in_dev-&gt;mc_list-&gt;sources no se puede liberar mediante ip_mc_del1_src() en sock_close. La secuencia de llamada aproximada es así: sock_close -&gt; __sock_release -&gt; inet_release -&gt; ip_mc_drop_socket -&gt; inetdev_by_index -&gt; ip_mc_leave_src -&gt; ip_mc_del_src -&gt; ip_mc_del1_src Entonces todavía necesitamos llamar a ip_mc_clear_src() en ip_mc_destroy_dev() para liberar in_dev-&gt;mc_list -&gt;fuentes .

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2024-04-10 CVE Reserved
  • 2024-05-21 CVE Published
  • 2024-05-22 EPSS Updated
  • 2024-12-19 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-400: Uncontrolled Resource Consumption
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 4.9.274
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.9.274"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 4.14.238
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.14.238"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 4.19.196
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 4.19.196"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 5.4.128
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.4.128"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 5.10.46
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.10.46"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 5.12.13
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.12.13"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
>= 4.9 < 5.13
Search vendor "Linux" for product "Linux Kernel" and version " >= 4.9 < 5.13"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
3.2.87
Search vendor "Linux" for product "Linux Kernel" and version "3.2.87"
en
Affected
Linux
Search vendor "Linux"
Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
3.16.42
Search vendor "Linux" for product "Linux Kernel" and version "3.16.42"
en
Affected