Bug 1221542 (CVE-2021-47133)

Summary: VUL-0: CVE-2021-47133: kernel: HID: amd_sfh: memory leak in amd_sfh_work()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: carlos.lopez, osalvador
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/397867/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47133:4.7:(AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-18 08:10:05 UTC 
In the Linux kernel, the following vulnerability has been resolved:

HID: amd_sfh: Fix memory leak in amd_sfh_work

Kmemleak tool detected a memory leak in the amd_sfh driver.

====================
unreferenced object 0xffff88810228ada0 (size 32):
  comm "insmod", pid 3968, jiffies 4295056001 (age 775.792s)
  hex dump (first 32 bytes):
    00 20 73 1f 81 88 ff ff 00 01 00 00 00 00 ad de  . s.............
    22 01 00 00 00 00 ad de 01 00 02 00 00 00 00 00  "...............
  backtrace:
    [<000000007b4c8799>] kmem_cache_alloc_trace+0x163/0x4f0
    [<0000000005326893>] amd_sfh_get_report+0xa4/0x1d0 [amd_sfh]
    [<000000002a9e5ec4>] amdtp_hid_request+0x62/0x80 [amd_sfh]
    [<00000000b8a95807>] sensor_hub_get_feature+0x145/0x270 [hid_sensor_hub]
    [<00000000fda054ee>] hid_sensor_parse_common_attributes+0x215/0x460 [hid_sensor_iio_common]
    [<0000000021279ecf>] hid_accel_3d_probe+0xff/0x4a0 [hid_sensor_accel_3d]
    [<00000000915760ce>] platform_probe+0x6a/0xd0
    [<0000000060258a1f>] really_probe+0x192/0x620
    [<00000000fa812f2d>] driver_probe_device+0x14a/0x1d0
    [<000000005e79f7fd>] __device_attach_driver+0xbd/0x110
    [<0000000070d15018>] bus_for_each_drv+0xfd/0x160
    [<0000000013a3c312>] __device_attach+0x18b/0x220
    [<000000008c7b4afc>] device_initial_probe+0x13/0x20
    [<00000000e6e99665>] bus_probe_device+0xfe/0x120
    [<00000000833fa90b>] device_add+0x6a6/0xe00
    [<00000000fa901078>] platform_device_add+0x180/0x380
====================

The fix is to freeing request_list entry once the processed entry is
removed from the request_list.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47133
https://www.cve.org/CVERecord?id=CVE-2021-47133
https://git.kernel.org/stable/c/29beadea66a226d744d5ffdcde6b984623053d24
https://git.kernel.org/stable/c/5ad755fd2b326aa2bc8910b0eb351ee6aece21b1
https://bugzilla.redhat.com/show_bug.cgi?id=2269816
Comment 1 Carlos López 2024-03-18 08:11:06 UTC 
cve/linux-5.14 and newer are already fixed. cve/linux-5.3 and older are not affected.
Comment 3 Carlos López 2024-04-25 16:18:05 UTC 
Done, closing.