Bug 1221970 (CVE-2021-47158)

Summary: VUL-0: CVE-2021-47158: kernel: net: dsa: sja1105: add error handling in sja1105_setup()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriel.bertazi, gabriele.sonnu, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/398812/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-47158:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-03-26 10:49:18 UTC 
In the Linux kernel, the following vulnerability has been resolved:

net: dsa: sja1105: add error handling in sja1105_setup()

If any of sja1105_static_config_load(), sja1105_clocking_setup() or
sja1105_devlink_setup() fails, we can't just return in the middle of
sja1105_setup() or memory will leak. Add a cleanup path.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47158
https://www.cve.org/CVERecord?id=CVE-2021-47158
https://git.kernel.org/stable/c/987e4ab8b8a4fcbf783069e03e7524cd39ffd563
https://git.kernel.org/stable/c/cec279a898a3b004411682f212215ccaea1cd0fb
https://git.kernel.org/stable/c/dd8609f203448ca6d58ae71461208b3f6b0329b0
https://bugzilla.redhat.com/show_bug.cgi?id=2271474
Comment 1 Gabriele Sonnu 2024-03-26 13:28:10 UTC 
Offending commit (8aa9ebccae87) found in:
 - ALP-current
 - cve/linux-5.3-LTSS
 - cve/linux-5.14-LTSS
 - SLE15-SP2-LTSS
 - SLE15-SP3-LTSS
 - SLE15-SP4-LTSS
 - SLE15-SP5
 - SLE15-SP6
 - stable

Fixing commit (cec279a898a3) found in:
 - ALP-current
 - cve/linux-5.14-LTSS
 - SLE15-SP4-LTSS
 - SLE15-SP5
 - SLE15-SP6
 - stable

Tracking as affected:
 - cve/linux-5.3-LTSS
 - SLE15-SP2-LTSS
 - SLE15-SP3-LTSS
Comment 2 Gabriel Krisman Bertazi 2024-04-26 23:01:29 UTC 
This only affects LTSS but it is low score(<7) and really low impact.  From our point of view, we shouldn't handle it.  Back to the security team.