cve/published/2021/CVE-2021-47249.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47249: net: rds: fix memory leak in rds_recvmsg

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: rds: fix memory leak in rds_recvmsg

 Syzbot reported memory leak in rds. The problem
 was in unputted refcount in case of error.

 int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 		int msg_flags)
 {
 ...

 	if (!rds_next_incoming(rs, &inc)) {
 		...
 	}

 After this "if" inc refcount incremented and

 	if (rds_cmsg_recv(inc, msg, rs)) {
 		ret = -EFAULT;
 		goto out;
 	}
 ...
 out:
 	return ret;
 }

 in case of rds_cmsg_recv() fail the refcount won't be
 decremented. And it's easy to see from ftrace log, that
 rds_inc_addref() don't have rds_inc_put() pair in
 rds_recvmsg() after rds_cmsg_recv()

  1)               |  rds_recvmsg() {
  1)   3.721 us    |    rds_inc_addref();
  1)   3.853 us    |    rds_message_inc_copy_to_user();
  1) + 10.395 us   |    rds_cmsg_recv();
  1) + 34.260 us   |  }

 The Linux kernel CVE team has assigned CVE-2021-47249 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.4.274 with commit 8c3ec88b03e9e4ca117dcdc4204fd3edcd02084f
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.9.274 with commit 423c6939758fb3b9cf5abbd1e7792068a5c4ae8c
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.14.238 with commit 1f79bc8ae81c05eb112a53f981cb2c244ee50d02
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.19.196 with commit 06b7cb0194bd1ede0dd27f3a946e7c0279fba44a
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.4.128 with commit 2038cd15eacdf7512755c27686822e0052eb9042
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.10.46 with commit 5946fbf48355f5a8caeff72580c7658da5966b86
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.12.13 with commit b25b60d076164edb3025e85aabd2cf50a5215b91
 	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.13 with commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47249
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/rds/recv.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/8c3ec88b03e9e4ca117dcdc4204fd3edcd02084f
 	https://git.kernel.org/stable/c/423c6939758fb3b9cf5abbd1e7792068a5c4ae8c
 	https://git.kernel.org/stable/c/1f79bc8ae81c05eb112a53f981cb2c244ee50d02
 	https://git.kernel.org/stable/c/06b7cb0194bd1ede0dd27f3a946e7c0279fba44a
 	https://git.kernel.org/stable/c/2038cd15eacdf7512755c27686822e0052eb9042
 	https://git.kernel.org/stable/c/5946fbf48355f5a8caeff72580c7658da5966b86
 	https://git.kernel.org/stable/c/b25b60d076164edb3025e85aabd2cf50a5215b91
 	https://git.kernel.org/stable/c/49bfcbfd989a8f1f23e705759a6bb099de2cff9f
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47249: net: rds: fix memory leak in rds_recvmsg

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: rds: fix memory leak in rds_recvmsg

	Syzbot reported memory leak in rds. The problem
	was in unputted refcount in case of error.

	int rds_recvmsg(struct socket sock, struct msghdr msg, size_t size,
	int msg_flags)
	{
	...

	if (!rds_next_incoming(rs, &inc)) {
	...
	}

	After this "if" inc refcount incremented and

	if (rds_cmsg_recv(inc, msg, rs)) {
	ret = -EFAULT;
	goto out;
	}
	...
	out:
	return ret;
	}

	in case of rds_cmsg_recv() fail the refcount won't be
	decremented. And it's easy to see from ftrace log, that
	rds_inc_addref() don't have rds_inc_put() pair in
	rds_recvmsg() after rds_cmsg_recv()

	1) \| rds_recvmsg() {
	1) 3.721 us \| rds_inc_addref();
	1) 3.853 us \| rds_message_inc_copy_to_user();
	1) + 10.395 us \| rds_cmsg_recv();
	1) + 34.260 us \| }

	The Linux kernel CVE team has assigned CVE-2021-47249 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.4.274 with commit 8c3ec88b03e9e4ca117dcdc4204fd3edcd02084f
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.9.274 with commit 423c6939758fb3b9cf5abbd1e7792068a5c4ae8c
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.14.238 with commit 1f79bc8ae81c05eb112a53f981cb2c244ee50d02
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 4.19.196 with commit 06b7cb0194bd1ede0dd27f3a946e7c0279fba44a
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.4.128 with commit 2038cd15eacdf7512755c27686822e0052eb9042
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.10.46 with commit 5946fbf48355f5a8caeff72580c7658da5966b86
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.12.13 with commit b25b60d076164edb3025e85aabd2cf50a5215b91
	Issue introduced in 2.6.30 with commit bdbe6fbc6a2f2ccfb384b141b257677d2a8d36fb and fixed in 5.13 with commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47249
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/rds/recv.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/8c3ec88b03e9e4ca117dcdc4204fd3edcd02084f
	https://git.kernel.org/stable/c/423c6939758fb3b9cf5abbd1e7792068a5c4ae8c
	https://git.kernel.org/stable/c/1f79bc8ae81c05eb112a53f981cb2c244ee50d02
	https://git.kernel.org/stable/c/06b7cb0194bd1ede0dd27f3a946e7c0279fba44a
	https://git.kernel.org/stable/c/2038cd15eacdf7512755c27686822e0052eb9042
	https://git.kernel.org/stable/c/5946fbf48355f5a8caeff72580c7658da5966b86
	https://git.kernel.org/stable/c/b25b60d076164edb3025e85aabd2cf50a5215b91
	https://git.kernel.org/stable/c/49bfcbfd989a8f1f23e705759a6bb099de2cff9f