CVE-2021-47292

{"id": "CVE-2021-47292", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-05-21T15:15:17.173", "references": [{"url": "https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memleak in io_init_wq_offload()\n\nI got memory leak report when doing fuzz test:\n\nBUG: memory leak\nunreferenced object 0xffff888107310a80 (size 96):\ncomm \"syz-executor.6\", pid 4610, jiffies 4295140240 (age 20.135s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\nbacktrace:\n[<000000001974933b>] kmalloc include/linux/slab.h:591 [inline]\n[<000000001974933b>] kzalloc include/linux/slab.h:721 [inline]\n[<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline]\n[<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955\n[<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016\n[<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]\n[<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]\n[<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]\n[<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301\n[<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n[<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCPU0 CPU1\nio_uring_enter io_uring_enter\nio_uring_add_tctx_node io_uring_add_tctx_node\n__io_uring_add_tctx_node __io_uring_add_tctx_node\nio_uring_alloc_task_context io_uring_alloc_task_context\nio_init_wq_offload io_init_wq_offload\nhash = kzalloc hash = kzalloc\nctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked\n\nWhen calling io_uring_enter() in parallel, the 'hash_map' will be leaked,\nadd uring_lock to protect 'hash_map'."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: io_uring: corrige memleak en io_init_wq_offload(). Recib\u00ed un informe de p\u00e9rdida de memoria al realizar la prueba fuzz: BUG: p\u00e9rdida de memoria objeto sin referencia 0xffff888107310a80 (tama\u00f1o 96): comm \"syz-executor.6\" , pid 4610, sjiffies 4295140240 (edad 20,135 s) volcado hexadecimal (primeros 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................. 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [&lt;000000001974933b&gt;] kmalloc include/linux/slab.h:591 [en l\u00ednea] [&lt;000000001974933b&gt;] kzalloc include/linux/slab.h:721 [en l\u00ednea] [&lt;000000001974933b&gt;] io_init_wq_offload fs/io_uring.c:7920 [en l\u00ednea] [&lt;000000001974933b&gt;] _context+0x466/0x640 fs/io_uring .c:7955 [&lt;0000000039d0800d&gt;] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [&lt;000000008482e78c&gt;] io_uring_add_tctx_node fs/io_uring.c:9052 [en l\u00ednea] 0000008482e78c&gt;] __do_sys_io_uring_enter fs/io_uring.c:9354 [en l\u00ednea] [&lt;000000008482e78c&gt;] __se_sys_io_uring_enter fs/io_uring.c:9301 [en l\u00ednea] [&lt;000000008482e78c&gt;] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [&lt;00000000b 875f18f&gt;] do_syscall_x64 arch/x86/entry/common. c:50 [en l\u00ednea] [&lt;00000000b875f18f&gt;] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [&lt;000000006b0a8484&gt;] Entry_SYSCALL_64_after_hwframe+0x44/0xae CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx-&gt;hash_map = hash ctx-&gt;hash_map = hash &lt;- uno de los hash se filtra Al llamar a io_uring_enter() en paralelo, se filtrar\u00e1 el 'hash_map', agregue uring_lock para proteger 'hash_map'."}], "lastModified": "2024-12-23T16:58:26.957", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26AF533A-A941-40CE-9F94-7F1133DE098F", "versionEndExcluding": "5.13.6", "versionStartIncluding": "5.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "71268287-21A8-4488-AA4F-23C473153131"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.14:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "23B9E5C6-FAB5-4A02-9E39-27C8787B0991"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}