In the Linux kernel, the following vulnerability has been resolved: kfence:
fix memory leak when cat kfence objects Hulk robot reported a kmemleak
problem: unreferenced object 0xffff93d1d8cc02e8 (size 248): comm “cat”, pid
23327, jiffies 4624670141 (age 495992.217s) hex dump (first 32 bytes): 00
40 85 19 d4 93 ff ff 00 10 00 00 00 00 00 00 .@… 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 … backtrace:
seq_open+0x2a/0x80 full_proxy_open+0x167/0x1e0 do_dentry_open+0x1e1/0x3a0
path_openat+0x961/0xa20 do_filp_open+0xae/0x120 do_sys_openat2+0x216/0x2f0
do_sys_open+0x57/0x80 do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9 unreferenced object
0xffff93d419854000 (size 4096): comm “cat”, pid 23327, jiffies 4624670141
(age 495992.217s) hex dump (first 32 bytes): 6b 66 65 6e 63 65 2d 23 32 35
30 3a 20 30 78 30 kfence-#250: 0x0 30 30 30 30 30 30 30 37 35 34 62 64 61
31 32 2d 0000000754bda12- backtrace: seq_read_iter+0x313/0x440
seq_read+0x14b/0x1a0 full_proxy_read+0x56/0x80 vfs_read+0xa5/0x1b0
ksys_read+0xa0/0xf0 do_syscall_64+0x33/0x40
entry_SYSCALL_64_after_hwframe+0x44/0xa9 I find that we can easily
reproduce this problem with the following commands: cat
/sys/kernel/debug/kfence/objects echo scan > /sys/kernel/debug/kmemleak cat
/sys/kernel/debug/kmemleak The leaked memory is allocated in the stack
below: do_syscall_64 do_sys_open do_dentry_open full_proxy_open seq_open
—> alloc seq_file vfs_read full_proxy_read seq_read seq_read_iter
traverse —> alloc seq_buf And it should have been released in the
following process: do_syscall_64 syscall_exit_to_user_mode
exit_to_user_mode_prepare task_work_run ____fput __fput full_proxy_release
—> free here However, the release function corresponding to
file_operations is not implemented in kfence. As a result, a memory leak
occurs. Therefore, the solution to this problem is to implement the
corresponding release function.
git.kernel.org/linus/0129ab1f268b6cf88825eae819b9b84aa0a85634 (5.16-rc7)
git.kernel.org/stable/c/0129ab1f268b6cf88825eae819b9b84aa0a85634
git.kernel.org/stable/c/2f06c8293d27f6337f907042c602c9c953988c48
launchpad.net/bugs/cve/CVE-2021-47089
nvd.nist.gov/vuln/detail/CVE-2021-47089
security-tracker.debian.org/tracker/CVE-2021-47089
www.cve.org/CVERecord?id=CVE-2021-47089