cve/published/2022/CVE-2022-49627.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49627: ima: Fix potential memory leak in ima_init_crypto()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ima: Fix potential memory leak in ima_init_crypto()

 On failure to allocate the SHA1 tfm, IMA fails to initialize and exits
 without freeing the ima_algo_array. Add the missing kfree() for
 ima_algo_array to avoid the potential memory leak.

 The Linux kernel CVE team has assigned CVE-2022-49627 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.10.132 with commit c1d9702ceb4a091da6bee380627596d1fba09274
 	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.15.56 with commit 601ae26aa2802a4c10c94d7388a99eabdbefab2b
 	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.18.13 with commit 830de9667b3ada0a75a3f098dfc7159709fe397b
 	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.19 with commit 067d2521874135267e681c19d42761c601d503d6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49627
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	security/integrity/ima/ima_crypto.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/c1d9702ceb4a091da6bee380627596d1fba09274
 	https://git.kernel.org/stable/c/601ae26aa2802a4c10c94d7388a99eabdbefab2b
 	https://git.kernel.org/stable/c/830de9667b3ada0a75a3f098dfc7159709fe397b
 	https://git.kernel.org/stable/c/067d2521874135267e681c19d42761c601d503d6
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49627: ima: Fix potential memory leak in ima_init_crypto()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ima: Fix potential memory leak in ima_init_crypto()

	On failure to allocate the SHA1 tfm, IMA fails to initialize and exits
	without freeing the ima_algo_array. Add the missing kfree() for
	ima_algo_array to avoid the potential memory leak.

	The Linux kernel CVE team has assigned CVE-2022-49627 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.10.132 with commit c1d9702ceb4a091da6bee380627596d1fba09274
	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.15.56 with commit 601ae26aa2802a4c10c94d7388a99eabdbefab2b
	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.18.13 with commit 830de9667b3ada0a75a3f098dfc7159709fe397b
	Issue introduced in 5.8 with commit 6d94809af6b0830c4dfcad661535a5939bcb8a7d and fixed in 5.19 with commit 067d2521874135267e681c19d42761c601d503d6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49627
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	security/integrity/ima/ima_crypto.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/c1d9702ceb4a091da6bee380627596d1fba09274
	https://git.kernel.org/stable/c/601ae26aa2802a4c10c94d7388a99eabdbefab2b
	https://git.kernel.org/stable/c/830de9667b3ada0a75a3f098dfc7159709fe397b
	https://git.kernel.org/stable/c/067d2521874135267e681c19d42761c601d503d6