CVE-2021-47089

{"id": "CVE-2021-47089", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.3, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 1.8}]}, "published": "2024-03-04T18:15:07.560", "references": [{"url": "https://git.kernel.org/stable/c/0129ab1f268b6cf88825eae819b9b84aa0a85634", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2f06c8293d27f6337f907042c602c9c953988c48", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/0129ab1f268b6cf88825eae819b9b84aa0a85634", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/2f06c8293d27f6337f907042c602c9c953988c48", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nkfence: fix memory leak when cat kfence objects\n\nHulk robot reported a kmemleak problem:\n\n unreferenced object 0xffff93d1d8cc02e8 (size 248):\n comm \"cat\", pid 23327, jiffies 4624670141 (age 495992.217s)\n hex dump (first 32 bytes):\n 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@..............\n 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\n backtrace:\n seq_open+0x2a/0x80\n full_proxy_open+0x167/0x1e0\n do_dentry_open+0x1e1/0x3a0\n path_openat+0x961/0xa20\n do_filp_open+0xae/0x120\n do_sys_openat2+0x216/0x2f0\n do_sys_open+0x57/0x80\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n unreferenced object 0xffff93d419854000 (size 4096):\n comm \"cat\", pid 23327, jiffies 4624670141 (age 495992.217s)\n hex dump (first 32 bytes):\n 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0\n 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda12-\n backtrace:\n seq_read_iter+0x313/0x440\n seq_read+0x14b/0x1a0\n full_proxy_read+0x56/0x80\n vfs_read+0xa5/0x1b0\n ksys_read+0xa0/0xf0\n do_syscall_64+0x33/0x40\n entry_SYSCALL_64_after_hwframe+0x44/0xa9\n\nI find that we can easily reproduce this problem with the following\ncommands:\n\n\tcat /sys/kernel/debug/kfence/objects\n\techo scan > /sys/kernel/debug/kmemleak\n\tcat /sys/kernel/debug/kmemleak\n\nThe leaked memory is allocated in the stack below:\n\n do_syscall_64\n do_sys_open\n do_dentry_open\n full_proxy_open\n seq_open ---> alloc seq_file\n vfs_read\n full_proxy_read\n seq_read\n seq_read_iter\n traverse ---> alloc seq_buf\n\nAnd it should have been released in the following process:\n\n do_syscall_64\n syscall_exit_to_user_mode\n exit_to_user_mode_prepare\n task_work_run\n ____fput\n __fput\n full_proxy_release ---> free here\n\nHowever, the release function corresponding to file_operations is not\nimplemented in kfence. As a result, a memory leak occurs. Therefore,\nthe solution to this problem is to implement the corresponding release\nfunction."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: kfence: repara la p\u00e9rdida de memoria cuando los objetos cat kfence Hulk robot inform\u00f3 un problema kmemleak: objeto sin referencia 0xffff93d1d8cc02e8 (tama\u00f1o 248): comm \"cat\", pid 23327, jiffies 4624670141 (edad 495992.217s ) volcado hexadecimal (primeros 32 bytes): 00 40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................. rastreo inverso: seq_open+0x2a/0x80 full_proxy_open+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0 path_openat+0x961/0xa20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0 do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40 Entry_SYSCALL_64_after_hwframe+0x44/0xa9 objeto sin referencia 0xffff93d419854000 (tama\u00f1o 4096): comm \"cat\", pid 23327, Jiffies 4624670141 (edad 495992,217 s) volcado hexadecimal (primeros 32 bytes) : 6b 66 65 6e 63 65 2d 23 32 35 30 3a 20 30 78 30 kfence-#250: 0x0 30 30 30 30 30 30 30 37 35 34 62 64 61 31 32 2d 0000000754bda1 2- rastreo inverso: seq_read_iter+0x313/0x440 seq_read+ 0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0 ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40 Entry_SYSCALL_64_after_hwframe+0x44/0xa9 Creo que podemos reproducir f\u00e1cilmente este problema con los siguientes comandos: cat /sys/kernel/ depurar/ kfence/objects echo scan > /sys/kernel/debug/kmemleak cat /sys/kernel/debug/kmemleak La memoria filtrada se asigna en la pila siguiente: do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open ---> alloc seq_file vfs_read full_proxy_read seq_read seq_read_iter traverse - --> alloc seq_buf Y deber\u00eda haberse liberado en el siguiente proceso: do_syscall_64 syscall_exit_to_user_mode exit_to_user_mode_prepare task_work_run ____fput __fput full_proxy_release ---> free aqu\u00ed Sin embargo, la funci\u00f3n de liberaci\u00f3n correspondiente a file_operatives no est\u00e1 implementada en kfence. Como resultado, se produce una p\u00e9rdida de memoria. Por tanto, la soluci\u00f3n a este problema es implementar la funci\u00f3n de liberaci\u00f3n correspondiente."}], "lastModified": "2025-04-04T14:41:46.367", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CAD6D48-E560-4E57-93BC-36BEBD6A8FA6", "versionEndExcluding": "5.15.12", "versionStartIncluding": "5.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "357AA433-37E8-4323-BFB2-3038D6E4B414"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A73429BA-C2D9-4D0C-A75F-06A1CA8B3983"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F621B5E3-E99D-49E7-90B9-EC3B77C95383"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7BFDCAA-1650-49AA-8462-407DD593F94F"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EC9882F-866D-4ACB-8FBC-213D8D8436C8"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.16:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8A0915FE-A4AA-4C94-B783-CF29D81E7E54"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}