CVE-2021-47238

Severity CVSS v4.0:

Pending analysis

Type:

CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

Publication date:

21/05/2024

Last modified:

04/04/2025

Description

In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in ip_mc_add1_src BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [] kmalloc include/linux/slab.h:558 [inline] [] kzalloc include/linux/slab.h:688 [inline] [] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] [] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 [] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [] __do_sys_setsockopt net/socket.c:2128 [inline] [] __se_sys_setsockopt net/socket.c:2125 [inline] [] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 [] entry_SYSCALL_64_after_hwframe+0x44/0xae In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed, because it was also called in igmpv3_clear_delrec(). Rough callgraph: inetdev_destroy -> ip_mc_destroy_dev -> igmpv3_clear_delrec -> ip_mc_clear_src -> RCU_INIT_POINTER(dev->ip_ptr, NULL) However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn&#39;t release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through inetdev_by_index() and then in_dev->mc_list->sources cannot be released by ip_mc_del1_src() in the sock_close. Rough call sequence goes like: sock_close -> __sock_release -> inet_release -> ip_mc_drop_socket -> inetdev_by_index -> ip_mc_leave_src -> ip_mc_del_src -> ip_mc_del1_src So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free in_dev->mc_list->sources.

Impact

Vector 3.x

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS v3.1 Severity and Metrics:

Base Score: 5.50 MEDIUM
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope (S): Unchanged
Confidentiality (C): None
Integrity (I): None
Availability (A): High

Base Score 3.x

5.50

Severity 3.x

MEDIUM

Vulnerable products and versions

CPE	From	Up to
cpe:2.3:o:linux:linux_kernel::::::::	3.2.87 (including)	3.3 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	3.16.42 (including)	3.17 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	4.9 (including)	4.9.274 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	4.10 (including)	4.14.238 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	4.15 (including)	4.19.196 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	4.20 (including)	5.4.128 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	5.5 (including)	5.10.46 (excluding)
cpe:2.3:o:linux:linux_kernel::::::::	5.11 (including)	5.12.13 (excluding)
cpe:2.3:o:linux:linux_kernel:5.13:rc1::::::
cpe:2.3:o:linux:linux_kernel:5.13:rc2::::::
cpe:2.3:o:linux:linux_kernel:5.13:rc3::::::
cpe:2.3:o:linux:linux_kernel:5.13:rc4::::::
cpe:2.3:o:linux:linux_kernel:5.13:rc5::::::
cpe:2.3:o:linux:linux_kernel:5.13:rc6::::::

To consult the complete list of CPE names with products and versions, see this page

CVE-2021-47238

Description

Impact

Vulnerable products and versions

References to Advisories, Solutions, and Tools