Bug 1221535 (CVE-2021-47121)

Summary:	VUL-0: CVE-2021-47121: kernel: net: caif: memory leak in cfusbl_device_notify()
Product:	[Novell Products] SUSE Security Incidents	Reporter:	SMASH SMASH <smash_bz>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED INVALID	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	carlos.lopez, mhocko, osalvador
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/397855/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-47121:4.7:(AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description SMASH SMASH 2024-03-18 07:12:59 UTC

In the Linux kernel, the following vulnerability has been resolved:

net: caif: fix memory leak in cfusbl_device_notify

In case of caif_enroll_dev() fail, allocated
link_support won't be assigned to the corresponding
structure. So simply free allocated pointer in case
of error.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47121
https://www.cve.org/CVERecord?id=CVE-2021-47121
https://git.kernel.org/stable/c/46403c1f80b0d3f937ff9c4f5edc63bb64bc5051
https://git.kernel.org/stable/c/4d94f530cd24c85aede6e72b8923f371b45d6886
https://git.kernel.org/stable/c/7f5d86669fa4d485523ddb1d212e0a2d90bd62bb
https://git.kernel.org/stable/c/81afc61cb6e2b553f2c5f992fa79e0ae73857141
https://git.kernel.org/stable/c/9ea0ab48e755d8f29fe89eb235fb86176fdb597f
https://git.kernel.org/stable/c/cc302e30a504e6b60a9ac8df7988646f46cd0294
https://git.kernel.org/stable/c/dde8686985ec24d6b00487080a906609bd613ea1
https://git.kernel.org/stable/c/e8b37f5009ea7095529790f022859711e6939c76
https://bugzilla.redhat.com/show_bug.cgi?id=2269848

Comment 1 Carlos López 2024-03-18 07:19:45 UTC

master:             Already Fixed
stable:             Already Fixed
SLE15-SP6:          Already Fixed
    ALP-current:    Already Fixed
cve/linux-5.14:     Already Fixed
    SLE15-SP5:      Already Fixed
    SLE15-SP4-LTSS: Already Fixed
cve/linux-5.3:      Not Affected (CONFIG_CAIF_USB disabled)
    SLE15-SP3-LTSS: Affected
    SLE15-SP2-LTSS: Not Affected (CONFIG_CAIF_USB disabled)
cve/linux-4.12:     Not Affected (CONFIG_CAIF_USB disabled)
    SLE12-SP5:      Not Affected (CONFIG_CAIF_USB disabled)
cve/linux-4.4:      Not Affected (CONFIG_CAIF_USB disabled)
    SLE12-SP3-LTSS: Not Affected (CONFIG_CAIF_USB disabled)
    SLE12-SP2-LTSS: Not Affected (CONFIG_CAIF_USB disabled)
cve/linux-3.0:      Not Affected
    SLE11-SP4-LTSS: Not Affected

Comment 5 Michal Hocko 2024-07-15 10:06:50 UTC

caif_enroll_dev can fail when caif_device_alloc fails to allocate caif_device_entry (GFP_KERNEL small allocation) or alloc_percpu(int) fails, neither of which is a feasible attack vector to leak memory. Another is cfcnfg_add_phy_layer failing which would be when "Too many CAIF Link Layers (max 6)" which I cannot really assess. Is this a feasible vector?

Then we have GFP_ATOMIC allocation for cfcnfg_phyinfo. This could be a potential vector. Btw. This should likely be GFP_KERNEL request because this is called from under a mutex so there is no real need for GFP_ATOMIC. Same holds for cffrml_create.

Comment 9 Carlos López 2024-07-16 13:09:17 UTC

Nothing to do, closing.