CVE-2021-46937

In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' DAMON debugfs interface increases the reference counts of 'struct pid's for targets from the 'target_ids' file write callback ('dbgfs_target_ids_write()'), but decreases the counts only in DAMON monitoring termination callback ('dbgfs_before_terminate()'). Therefore, when 'target_ids' file is repeatedly written without DAMON monitoring start/termination, the reference count is not decreased and therefore memory for the 'struct pid' cannot be freed. This commit fixes this issue by decreasing the reference counts when 'target_ids' is written.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/ebb3f994dd92f8fb4d70c7541091216c1e10cb71	Patch
https://git.kernel.org/stable/c/ffe4a1ba1a82c416a6b3a09d46594f6a885ae141	Patch

Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2024-02-27 10:15

Updated : 2024-04-10 18:59

NVD link : CVE-2021-46937

Mitre link : CVE-2021-46937

CVE.ORG link : CVE-2021-46937

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2021-46937", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-02-27T10:15:08.067", "references": [{"url": "https://git.kernel.org/stable/c/ebb3f994dd92f8fb4d70c7541091216c1e10cb71", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/ffe4a1ba1a82c416a6b3a09d46594f6a885ae141", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()'\n\nDAMON debugfs interface increases the reference counts of 'struct pid's\nfor targets from the 'target_ids' file write callback\n('dbgfs_target_ids_write()'), but decreases the counts only in DAMON\nmonitoring termination callback ('dbgfs_before_terminate()').\n\nTherefore, when 'target_ids' file is repeatedly written without DAMON\nmonitoring start/termination, the reference count is not decreased and\ntherefore memory for the 'struct pid' cannot be freed. This commit\nfixes this issue by decreasing the reference counts when 'target_ids' is\nwritten."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: mm/damon/dbgfs: corrige las fugas de 'struct pid' en 'dbgfs_target_ids_write()' La interfaz DAMON debugfs aumenta los recuentos de referencias de 'struct pid' para los objetivos de la escritura del archivo 'target_ids' devoluci\u00f3n de llamada ('dbgfs_target_ids_write()'), pero disminuye los recuentos solo en la devoluci\u00f3n de llamada de terminaci\u00f3n de monitoreo de DAMON ('dbgfs_before_terminate()'). Por lo tanto, cuando el archivo 'target_ids' se escribe repetidamente sin que DAMON supervise el inicio/terminaci\u00f3n, el recuento de referencias no disminuye y, por lo tanto, no se puede liberar memoria para 'struct pid'. Este commit soluciona este problema al disminuir el recuento de referencias cuando se escribe 'target_ids'."}], "lastModified": "2024-04-10T18:59:16.507", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8CC64BCA-D219-487C-A123-4C470FE30AB2", "versionEndExcluding": "5.15.13", "versionStartIncluding": "5.15.0"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}