cve/published/2022/CVE-2022-49890.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.1.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-49890: capabilities: fix potential memleak on error path from vfs_getxattr_alloc()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 capabilities: fix potential memleak on error path from vfs_getxattr_alloc()

 In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to
 complete the memory allocation of tmpbuf, if we have completed
 the memory allocation of tmpbuf, but failed to call handler->get(...),
 there will be a memleak in below logic:

   |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...)
     |           /* ^^^ alloc for tmpbuf */
     |-- value = krealloc(*xattr_value, error + 1, flags)
     |           /* ^^^ alloc memory */
     |-- error = handler->get(handler, ...)
     |           /* error! */
     |-- *xattr_value = value
     |           /* xattr_value is &tmpbuf (memory leak!) */

 So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.

 [PM: subject line and backtrace tweaks]

 The Linux kernel CVE team has assigned CVE-2022-49890 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 4.14.299 with commit 6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85
 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 4.19.265 with commit 90577bcc01c4188416a47269f8433f70502abe98
 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 5.4.224 with commit 0c3e6288da650d1ec911a259c77bc2d88e498603
 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 5.10.154 with commit cdf01c807e974048c43c7fd3ca574f6086a57906
 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 5.15.78 with commit 2de8eec8afb75792440b8900a01d52b8f6742fd1
 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 6.0.8 with commit 7480aeff0093d8c54377553ec6b31110bea37b4d
 	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 6.1 with commit 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-49890
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	security/commoncap.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85
 	https://git.kernel.org/stable/c/90577bcc01c4188416a47269f8433f70502abe98
 	https://git.kernel.org/stable/c/0c3e6288da650d1ec911a259c77bc2d88e498603
 	https://git.kernel.org/stable/c/cdf01c807e974048c43c7fd3ca574f6086a57906
 	https://git.kernel.org/stable/c/2de8eec8afb75792440b8900a01d52b8f6742fd1
 	https://git.kernel.org/stable/c/7480aeff0093d8c54377553ec6b31110bea37b4d
 	https://git.kernel.org/stable/c/8cf0a1bc12870d148ae830a4ba88cfdf0e879cee
	From bippy-1.1.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-49890: capabilities: fix potential memleak on error path from vfs_getxattr_alloc()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	capabilities: fix potential memleak on error path from vfs_getxattr_alloc()

	In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to
	complete the memory allocation of tmpbuf, if we have completed
	the memory allocation of tmpbuf, but failed to call handler->get(...),
	there will be a memleak in below logic:

	\|-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...)
	\| /* ^^^ alloc for tmpbuf */
	\|-- value = krealloc(*xattr_value, error + 1, flags)
	\| /* ^^^ alloc memory */
	\|-- error = handler->get(handler, ...)
	\| /* error! */
	\|-- *xattr_value = value
	\| /* xattr_value is &tmpbuf (memory leak!) */

	So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.

	[PM: subject line and backtrace tweaks]

	The Linux kernel CVE team has assigned CVE-2022-49890 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 4.14.299 with commit 6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85
	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 4.19.265 with commit 90577bcc01c4188416a47269f8433f70502abe98
	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 5.4.224 with commit 0c3e6288da650d1ec911a259c77bc2d88e498603
	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 5.10.154 with commit cdf01c807e974048c43c7fd3ca574f6086a57906
	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 5.15.78 with commit 2de8eec8afb75792440b8900a01d52b8f6742fd1
	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 6.0.8 with commit 7480aeff0093d8c54377553ec6b31110bea37b4d
	Issue introduced in 4.14 with commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340 and fixed in 6.1 with commit 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-49890
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	security/commoncap.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85
	https://git.kernel.org/stable/c/90577bcc01c4188416a47269f8433f70502abe98
	https://git.kernel.org/stable/c/0c3e6288da650d1ec911a259c77bc2d88e498603
	https://git.kernel.org/stable/c/cdf01c807e974048c43c7fd3ca574f6086a57906
	https://git.kernel.org/stable/c/2de8eec8afb75792440b8900a01d52b8f6742fd1
	https://git.kernel.org/stable/c/7480aeff0093d8c54377553ec6b31110bea37b4d
	https://git.kernel.org/stable/c/8cf0a1bc12870d148ae830a4ba88cfdf0e879cee