GHSA-MRM7-VH23-G98V
Vulnerability from github – Published: 2024-05-21 15:31 – Updated: 2024-12-23 18:30In the Linux kernel, the following vulnerability has been resolved:
io_uring: fix memleak in io_init_wq_offload()
I got memory leak report when doing fuzz test:
BUG: memory leak unreferenced object 0xffff888107310a80 (size 96): comm "syz-executor.6", pid 4610, jiffies 4295140240 (age 20.135s) hex dump (first 32 bytes): 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... backtrace: [<000000001974933b>] kmalloc include/linux/slab.h:591 [inline] [<000000001974933b>] kzalloc include/linux/slab.h:721 [inline] [<000000001974933b>] io_init_wq_offload fs/io_uring.c:7920 [inline] [<000000001974933b>] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955 [<0000000039d0800d>] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016 [<000000008482e78c>] io_uring_add_tctx_node fs/io_uring.c:9052 [inline] [<000000008482e78c>] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline] [<000000008482e78c>] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline] [<000000008482e78c>] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301 [<00000000b875f18f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<00000000b875f18f>] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80 [<000000006b0a8484>] entry_SYSCALL_64_after_hwframe+0x44/0xae
CPU0 CPU1 io_uring_enter io_uring_enter io_uring_add_tctx_node io_uring_add_tctx_node __io_uring_add_tctx_node __io_uring_add_tctx_node io_uring_alloc_task_context io_uring_alloc_task_context io_init_wq_offload io_init_wq_offload hash = kzalloc hash = kzalloc ctx->hash_map = hash ctx->hash_map = hash <- one of the hash is leaked
When calling io_uring_enter() in parallel, the 'hash_map' will be leaked, add uring_lock to protect 'hash_map'.
{
"affected": [],
"aliases": [
"CVE-2021-47292"
],
"database_specific": {
"cwe_ids": [
"CWE-401"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-05-21T15:15:17Z",
"severity": "MODERATE"
},
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nio_uring: fix memleak in io_init_wq_offload()\n\nI got memory leak report when doing fuzz test:\n\nBUG: memory leak\nunreferenced object 0xffff888107310a80 (size 96):\ncomm \"syz-executor.6\", pid 4610, jiffies 4295140240 (age 20.135s)\nhex dump (first 32 bytes):\n01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........\nbacktrace:\n[\u003c000000001974933b\u003e] kmalloc include/linux/slab.h:591 [inline]\n[\u003c000000001974933b\u003e] kzalloc include/linux/slab.h:721 [inline]\n[\u003c000000001974933b\u003e] io_init_wq_offload fs/io_uring.c:7920 [inline]\n[\u003c000000001974933b\u003e] io_uring_alloc_task_context+0x466/0x640 fs/io_uring.c:7955\n[\u003c0000000039d0800d\u003e] __io_uring_add_tctx_node+0x256/0x360 fs/io_uring.c:9016\n[\u003c000000008482e78c\u003e] io_uring_add_tctx_node fs/io_uring.c:9052 [inline]\n[\u003c000000008482e78c\u003e] __do_sys_io_uring_enter fs/io_uring.c:9354 [inline]\n[\u003c000000008482e78c\u003e] __se_sys_io_uring_enter fs/io_uring.c:9301 [inline]\n[\u003c000000008482e78c\u003e] __x64_sys_io_uring_enter+0xabc/0xc20 fs/io_uring.c:9301\n[\u003c00000000b875f18f\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[\u003c00000000b875f18f\u003e] do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80\n[\u003c000000006b0a8484\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nCPU0 CPU1\nio_uring_enter io_uring_enter\nio_uring_add_tctx_node io_uring_add_tctx_node\n__io_uring_add_tctx_node __io_uring_add_tctx_node\nio_uring_alloc_task_context io_uring_alloc_task_context\nio_init_wq_offload io_init_wq_offload\nhash = kzalloc hash = kzalloc\nctx-\u003ehash_map = hash ctx-\u003ehash_map = hash \u003c- one of the hash is leaked\n\nWhen calling io_uring_enter() in parallel, the \u0027hash_map\u0027 will be leaked,\nadd uring_lock to protect \u0027hash_map\u0027.",
"id": "GHSA-mrm7-vh23-g98v",
"modified": "2024-12-23T18:30:47Z",
"published": "2024-05-21T15:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47292"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/362a9e65289284f36403058eea2462d0330c1f24"
},
{
"type": "WEB",
"url": "https://git.kernel.org/stable/c/502731a03f27cba1513fbbff77e508185ffce5bb"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.