Bugzilla – Bug 1225456
VUL-0: REJECTED: CVE-2021-47543: kernel: perf report: Fix memory leaks around perf_tip()
Last modified: 2024-06-14 09:59:34 UTC
In the Linux kernel, the following vulnerability has been resolved: perf report: Fix memory leaks around perf_tip() perf_tip() may allocate memory or use a literal, this means memory wasn't freed if allocated. Change the API so that literals aren't used. At the same time add missing frees for system_path. These issues were spotted using leak sanitizer. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47543 https://www.cve.org/CVERecord?id=CVE-2021-47543 https://git.kernel.org/stable/c/71e284dcebecb9fd204ff11097469cc547723ad1 https://git.kernel.org/stable/c/d9fc706108c15f8bc2d4ccccf8e50f74830fabd9 https://git.kernel.org/stable/c/df5990db088d4c7fea9a2f9b8195a7859e1768c4 https://git.kernel.org/stable/c/ff061b5bda73c4f785b4703eeb0848fd99e5608a https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2021/CVE-2021-47543.mbox https://bugzilla.redhat.com/show_bug.cgi?id=2283407
Based on the fixing commit (d9fc706108c15f8bc2d4ccccf8e50f74830fabd9) this is a userspace leak (tools/perf). Which can occur when running 'perf report' which has a generally short lived lifespan. How on earth did this get a CVE assigned? From 2021? I really don't see that this is anything we need to be concerned with. Also due to the high level of code churn in perf userspace, backports are more challenging than for the kernel code.
CVE is now rejected. https://lore.kernel.org/linux-cve-announce/2024061337-delegator-chafe-bf6d@gregkh/ Thanks all. Closing.