In the Linux kernel, the following vulnerability has been resolved:
net: rds: fix memory leak in rds_recvmsg
Syzbot reported memory leak in rds. The problem
was in unputted refcount in case of error.
int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
int msg_flags)
{
...
if (!rds_next_incoming(rs, &inc)) {
...
}
After this "if" inc refcount incremented and
if (rds_cmsg_recv(inc, msg, rs)) {
ret = -EFAULT;
goto out;
}
...
out:
return ret;
}
in case of rds_cmsg_recv() fail the refcount won't be
decremented. And it's easy to see from ftrace log, that
rds_inc_addref() don't have rds_inc_put() pair in
rds_recvmsg() after rds_cmsg_recv()
1) | rds_recvmsg() {
1) 3.721 us | rds_inc_addref();
1) 3.853 us | rds_message_inc_copy_to_user();
1) + 10.395 us | rds_cmsg_recv();
1) + 34.260 us | }
Metrics
Affected Vendors & Products
No data.
No data.
No data.
References
History
Mon, 04 Nov 2024 12:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-05-21T14:19:46.238Z
Updated: 2024-11-04T12:02:17.094Z
Reserved: 2024-04-10T18:59:19.536Z
Link: CVE-2021-47249
Vulnrichment
Updated: 2024-08-04T05:32:07.936Z
NVD
Status : Awaiting Analysis
Published: 2024-05-21T15:15:13.857
Modified: 2024-05-21T16:54:26.047
Link: CVE-2021-47249
Redhat