1221535 – (CVE-2021-47121) VUL-0: CVE-2021-47121: kernel: net: caif: memory leak in cfusbl_device_notify()

Bug 1221535 (CVE-2021-47121) - VUL-0: CVE-2021-47121: kernel: net: caif: memory leak in cfusbl_device_notify()

Summary: VUL-0: CVE-2021-47121: kernel: net: caif: memory leak in cfusbl_device_notify()

Status:	RESOLVED INVALID

Alias:	CVE-2021-47121

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/397855/
Whiteboard:	CVSSv3.1:SUSE:CVE-2021-47121:4.7:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-18 07:12 UTC by SMASH SMASH
Modified:	2024-07-16 13:09 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-18 07:12:59 UTC

In the Linux kernel, the following vulnerability has been resolved:

net: caif: fix memory leak in cfusbl_device_notify

In case of caif_enroll_dev() fail, allocated
link_support won't be assigned to the corresponding
structure. So simply free allocated pointer in case
of error.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47121
https://www.cve.org/CVERecord?id=CVE-2021-47121
https://git.kernel.org/stable/c/46403c1f80b0d3f937ff9c4f5edc63bb64bc5051
https://git.kernel.org/stable/c/4d94f530cd24c85aede6e72b8923f371b45d6886
https://git.kernel.org/stable/c/7f5d86669fa4d485523ddb1d212e0a2d90bd62bb
https://git.kernel.org/stable/c/81afc61cb6e2b553f2c5f992fa79e0ae73857141
https://git.kernel.org/stable/c/9ea0ab48e755d8f29fe89eb235fb86176fdb597f
https://git.kernel.org/stable/c/cc302e30a504e6b60a9ac8df7988646f46cd0294
https://git.kernel.org/stable/c/dde8686985ec24d6b00487080a906609bd613ea1
https://git.kernel.org/stable/c/e8b37f5009ea7095529790f022859711e6939c76
https://bugzilla.redhat.com/show_bug.cgi?id=2269848

Comment 1 Carlos López 2024-03-18 07:19:45 UTC

master:             Already Fixed
stable:             Already Fixed
SLE15-SP6:          Already Fixed
    ALP-current:    Already Fixed
cve/linux-5.14:     Already Fixed
    SLE15-SP5:      Already Fixed
    SLE15-SP4-LTSS: Already Fixed
cve/linux-5.3:      Not Affected (CONFIG_CAIF_USB disabled)
    SLE15-SP3-LTSS: Affected
    SLE15-SP2-LTSS: Not Affected (CONFIG_CAIF_USB disabled)
cve/linux-4.12:     Not Affected (CONFIG_CAIF_USB disabled)
    SLE12-SP5:      Not Affected (CONFIG_CAIF_USB disabled)
cve/linux-4.4:      Not Affected (CONFIG_CAIF_USB disabled)
    SLE12-SP3-LTSS: Not Affected (CONFIG_CAIF_USB disabled)
    SLE12-SP2-LTSS: Not Affected (CONFIG_CAIF_USB disabled)
cve/linux-3.0:      Not Affected
    SLE11-SP4-LTSS: Not Affected

Comment 5 Michal Hocko 2024-07-15 10:06:50 UTC

caif_enroll_dev can fail when caif_device_alloc fails to allocate caif_device_entry (GFP_KERNEL small allocation) or alloc_percpu(int) fails, neither of which is a feasible attack vector to leak memory. Another is cfcnfg_add_phy_layer failing which would be when "Too many CAIF Link Layers (max 6)" which I cannot really assess. Is this a feasible vector?

Then we have GFP_ATOMIC allocation for cfcnfg_phyinfo. This could be a potential vector. Btw. This should likely be GFP_KERNEL request because this is called from under a mutex so there is no real need for GFP_ATOMIC. Same holds for cffrml_create.

Comment 9 Carlos López 2024-07-16 13:09:17 UTC

Nothing to do, closing.