| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2021-47024: vsock/virtio: free queued packets when closing socket |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| vsock/virtio: free queued packets when closing socket |
| |
| As reported by syzbot [1], there is a memory leak while closing the |
| socket. We partially solved this issue with commit ac03046ece2b |
| ("vsock/virtio: free packets during the socket release"), but we |
| forgot to drain the RX queue when the socket is definitely closed by |
| the scheduled work. |
| |
| To avoid future issues, let's use the new virtio_transport_remove_sock() |
| to drain the RX queue before removing the socket from the af_vsock lists |
| calling vsock_remove_sock(). |
| |
| [1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9 |
| |
| The Linux kernel CVE team has assigned CVE-2021-47024 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 5.2 with commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 and fixed in 5.10.37 with commit b605673b523fe33abeafb2136759bcbc9c1e6ebf |
| Issue introduced in 5.2 with commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 and fixed in 5.11.21 with commit 27691665145e74a45034a9dccf1150cf1894763a |
| Issue introduced in 5.2 with commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 and fixed in 5.12.4 with commit 37c38674ef2f8d7e8629e5d433c37d6c1273d16b |
| Issue introduced in 5.2 with commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 and fixed in 5.13 with commit 8432b8114957235f42e070a16118a7f750de9d39 |
| Issue introduced in 4.9.179 with commit 4ea082cd3c400cd5bb36a7beb7e441bf3e29350d |
| Issue introduced in 4.14.122 with commit 4e539fa2dec4db3405e47002f2878aa4a99eb68b |
| Issue introduced in 4.19.46 with commit 4af8a327aeba102aaa9b78f3451f725bc590b237 |
| Issue introduced in 5.0.19 with commit 51adb8ebe8c1d80528fc2ea863cfea9d32d2c52b |
| Issue introduced in 5.1.5 with commit 7d29c9ad0ed525c1b10e29cfca4fb1eece1e93fb |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2021-47024 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| net/vmw_vsock/virtio_transport_common.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/b605673b523fe33abeafb2136759bcbc9c1e6ebf |
| https://git.kernel.org/stable/c/27691665145e74a45034a9dccf1150cf1894763a |
| https://git.kernel.org/stable/c/37c38674ef2f8d7e8629e5d433c37d6c1273d16b |
| https://git.kernel.org/stable/c/8432b8114957235f42e070a16118a7f750de9d39 |
