Memory Leak Affecting cluster-md-kmp-default package, versions <5.14.21-150500.55.73.1


Severity

Recommended
0.0
medium
0
10

Based on SUSE Linux Enterprise Server security rating.

Threat Intelligence

EPSS
0.04% (5th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Memory Leak vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-SLES155-CLUSTERMDKMPDEFAULT-7706284
  • published17 Aug 2024
  • disclosed16 Aug 2024

Introduced: 16 Aug 2024

CVE-2024-41006  (opens in a new tab)
CWE-401  (opens in a new tab)

How to fix?

Upgrade SLES:15.5 cluster-md-kmp-default to version 5.14.21-150500.55.73.1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream cluster-md-kmp-default package and not the cluster-md-kmp-default package as distributed by SLES. See How to fix? for SLES:15.5 relevant fixed versions and status.

In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix a memory leak in nr_heartbeat_expiry()

syzbot reported a memory leak in nr_create() 0.

Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag.

But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b."

nr_connect nr_establish_data_link nr_start_heartbeat

nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY);

                    nr_rx_frame
                      nr_process_rx_frame
                        switch (nr-&gt;state)
                        case NR_STATE_2
                          nr_state2_machine()
                            nr_disconnect()
                              nr_sk(sk)-&gt;state = NR_STATE_0
                              sock_set_flag(sk, SOCK_DEAD)

                nr_heartbeat_expiry
                  switch (nr-&amp;gt;state)
                  case NR_STATE_0
                    if (sock_flag(sk, SOCK_DESTROY) ||
                       (sk-&amp;gt;sk_state == TCP_LISTEN
                         &amp;amp;&amp;amp; sock_flag(sk, SOCK_DEAD)))
                       sock_hold()  // ( !!! )
                       nr_destroy_socket()

To fix the memory leak, let's call sock_hold() only for a listening socket.

Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.

CVSS Scores

version 3.1