GHSA-QQF8-29GP-9WQX

Vulnerability from github – Published: 2025-03-10 21:31 – Updated: 2025-11-03 21:32
VLAI?
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/kexec: fix memory leak of elf header buffer

This is reported by kmemleak detector:

unreferenced object 0xffffc900002a9000 (size 4096): comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s) hex dump (first 32 bytes): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............ 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>............. backtrace: [<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170 [<000000002b66b6c0>] __vmalloc_node+0xb4/0x160 [<00000000ad40107d>] crash_prepare_elf64_headers+0x8e/0xcd0 [<0000000019afff23>] crash_load_segments+0x260/0x470 [<0000000019ebe95c>] bzImage64_load+0x814/0xad0 [<0000000093e16b05>] arch_kexec_kernel_image_load+0x1be/0x2a0 [<000000009ef2fc88>] kimage_file_alloc_init+0x2ec/0x5a0 [<0000000038f5a97a>] __do_sys_kexec_file_load+0x28d/0x530 [<0000000087c19992>] do_syscall_64+0x3b/0x90 [<0000000066e063a4>] entry_SYSCALL_64_after_hwframe+0x44/0xae

In crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to store elf headers. While it's not freed back to system correctly when kdump kernel is reloaded or unloaded. Then memory leak is caused. Fix it by introducing x86 specific function arch_kimage_file_post_load_cleanup(), and freeing the buffer there.

And also remove the incorrect elf header buffer freeing code. Before calling arch specific kexec_file loading function, the image instance has been initialized. So 'image->elf_headers' must be NULL. It doesn't make sense to free the elf header buffer in the place.

Three different people have reported three bugs about the memory leak on x86_64 inside Redhat.

Severity ?
5.5 (Medium)
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2022-49546"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-26T07:01:30Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/kexec: fix memory leak of elf header buffer\n\nThis is reported by kmemleak detector:\n\nunreferenced object 0xffffc900002a9000 (size 4096):\n  comm \"kexec\", pid 14950, jiffies 4295110793 (age 373.951s)\n  hex dump (first 32 bytes):\n    7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00  .ELF............\n    04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00  ..\u003e.............\n  backtrace:\n    [\u003c0000000016a8ef9f\u003e] __vmalloc_node_range+0x101/0x170\n    [\u003c000000002b66b6c0\u003e] __vmalloc_node+0xb4/0x160\n    [\u003c00000000ad40107d\u003e] crash_prepare_elf64_headers+0x8e/0xcd0\n    [\u003c0000000019afff23\u003e] crash_load_segments+0x260/0x470\n    [\u003c0000000019ebe95c\u003e] bzImage64_load+0x814/0xad0\n    [\u003c0000000093e16b05\u003e] arch_kexec_kernel_image_load+0x1be/0x2a0\n    [\u003c000000009ef2fc88\u003e] kimage_file_alloc_init+0x2ec/0x5a0\n    [\u003c0000000038f5a97a\u003e] __do_sys_kexec_file_load+0x28d/0x530\n    [\u003c0000000087c19992\u003e] do_syscall_64+0x3b/0x90\n    [\u003c0000000066e063a4\u003e] entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nIn crash_prepare_elf64_headers(), a buffer is allocated via vmalloc() to\nstore elf headers.  While it\u0027s not freed back to system correctly when\nkdump kernel is reloaded or unloaded.  Then memory leak is caused.  Fix it\nby introducing x86 specific function arch_kimage_file_post_load_cleanup(),\nand freeing the buffer there.\n\nAnd also remove the incorrect elf header buffer freeing code.  Before\ncalling arch specific kexec_file loading function, the image instance has\nbeen initialized.  So \u0027image-\u003eelf_headers\u0027 must be NULL.  It doesn\u0027t make\nsense to free the elf header buffer in the place.\n\nThree different people have reported three bugs about the memory leak on\nx86_64 inside Redhat.",
  "id": "GHSA-qqf8-29gp-9wqx",
  "modified": "2025-11-03T21:32:52Z",
  "published": "2025-03-10T21:31:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-49546"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/115ee42a4c2f26ba2b4ace2668a3f004621f6833"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/23cf39dccf7653650701a6f39b119e9116a27f1a"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/8765a423a87d74ef24ea02b43b2728fe4039f248"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b3e34a47f98974d0844444c5121aaff123004e57"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f675e3a9189d84a9324ab45b0cb19906c2bc8fcb"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.