cve/published/2021/CVE-2021-47292.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2021-47292: io_uring: fix memleak in io_init_wq_offload()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 io_uring: fix memleak in io_init_wq_offload()

 I got memory leak report when doing fuzz test:

 BUG: memory leak
 unreferenced object 0xffff888107310a80 (size 96):
 comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s)
 hex dump (first 32 bytes):
 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
 backtrace:
 [<000000001974933b>] kmalloc include/linux/slab.h:591 [inline]
 [<000000001974933b>] kzalloc include/linux/slab.h:721 [inline]
 [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline]
 [<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955
 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016
 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]
 [<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]
 [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]
 [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301
 [<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
 [<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae

 CPU0                          CPU1
 io_uring_enter                io_uring_enter
 io_uring_add_tctx_node        io_uring_add_tctx_node
 __io_uring_add_tctx_node      __io_uring_add_tctx_node
 io_uring_alloc_task_context   io_uring_alloc_task_context
 io_init_wq_offload            io_init_wq_offload
 hash = kzalloc                hash = kzalloc
 ctx->hash_map = hash          ctx->hash_map = hash <- one of the hash is leaked

 When calling io_uring_enter() in parallel, the 'hash_map' will be leaked,
 add uring_lock to protect 'hash_map'.

 The Linux kernel CVE team has assigned CVE-2021-47292 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.12 with commit e941894eae31b52f0fd9bdb3ce20620afa152f45 and fixed in 5.13.6 with commit 502731a03f27cba1513fbbff77e508185ffce5bb
 	Issue introduced in 5.12 with commit e941894eae31b52f0fd9bdb3ce20620afa152f45 and fixed in 5.14 with commit 362a9e65289284f36403058eea2462d0330c1f24

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2021-47292
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/io_uring.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb
 	https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2021-47292: io_uring: fix memleak in io_init_wq_offload()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	io_uring: fix memleak in io_init_wq_offload()

	I got memory leak report when doing fuzz test:

	BUG: memory leak
	unreferenced object 0xffff888107310a80 (size 96):
	comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s)
	hex dump (first 32 bytes):
	01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
	00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
	backtrace:
	[<000000001974933b>] kmalloc include/linux/slab.h:591 [inline]
	[<000000001974933b>] kzalloc include/linux/slab.h:721 [inline]
	[<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline]
	[<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955
	[<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016
	[<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]
	[<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]
	[<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]
	[<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301
	[<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
	[<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
	[<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae

	CPU0 CPU1
	io_uring_enter io_uring_enter
	io_uring_add_tctx_node io_uring_add_tctx_node
	__io_uring_add_tctx_node __io_uring_add_tctx_node
	io_uring_alloc_task_context io_uring_alloc_task_context
	io_init_wq_offload io_init_wq_offload
	hash = kzalloc hash = kzalloc
	ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked

	When calling io_uring_enter() in parallel, the 'hash_map' will be leaked,
	add uring_lock to protect 'hash_map'.

	The Linux kernel CVE team has assigned CVE-2021-47292 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.12 with commit e941894eae31b52f0fd9bdb3ce20620afa152f45 and fixed in 5.13.6 with commit 502731a03f27cba1513fbbff77e508185ffce5bb
	Issue introduced in 5.12 with commit e941894eae31b52f0fd9bdb3ce20620afa152f45 and fixed in 5.14 with commit 362a9e65289284f36403058eea2462d0330c1f24

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2021-47292
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/io_uring.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb
	https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24