| The vulnerability, identified as CVE-2021-47009, resides in the Linux kernel's trusted key subsystem. Specifically, it affects the `trusted_tpm1.c` file within the `security/keys/trusted-keys` directory. The issue arises from two error return paths that neglect to free allocated object `td`, resulting in a memory leak. |
| |
| The vulnerability was introduced in various kernel versions, including 5.10.20, 5.11.3, and 5.12, through specific commits. It was fixed in subsequent kernel versions, such as 5.10.38, 5.11.22, 5.12.5, and 5.13, via distinct commits. |
| |
| The fix involves securely freeing the allocated `td` object using the error return path with `kfree`. This resolves a clang scan-build warning related to potential memory leaks. The Linux kernel CVE team recommends updating to the latest stable kernel version to address this issue, as well as other bugfixes. If updating is not possible, individual changes can be cherry-picked from specific commits, although this approach is not recommended or supported by the Linux kernel community. |
| |
