ghsa-xvmj-27r5-9623
Vulnerability from github
Published
2024-05-22 09:31
Modified
2024-05-22 09:31
Details

In the Linux kernel, the following vulnerability has been resolved:

cgroup: Fix memory leak caused by missing cgroup_bpf_offline

When enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running the command as below:

$mount -t cgroup -o none,name=foo cgroup cgroup/
$umount cgroup/

unreferenced object 0xc3585c40 (size 64): comm "mount", pid 425, jiffies 4294959825 (age 31.990s) hex dump (first 32 bytes): 01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00 ......(......... 00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00 ........lC...... backtrace: [] cgroup_bpf_inherit+0x44/0x24c [<1f03679c>] cgroup_setup_root+0x174/0x37c [] cgroup1_get_tree+0x2c0/0x4a0 [] vfs_get_tree+0x24/0x108 [] path_mount+0x384/0x988 [] do_mount+0x64/0x9c [<208c9cfe>] sys_mount+0xfc/0x1f4 [<06dd06e0>] ret_fast_syscall+0x0/0x48 [] 0xbeb4daa8

This is because that since the commit 2b0d3d3e4fcf ("percpu_ref: reduce memory footprint of percpu_ref in fast path") root_cgrp->bpf.refcnt.data is allocated by the function percpu_ref_init in cgroup_bpf_inherit which is called by cgroup_setup_root when mounting, but not freed along with root_cgrp when umounting. Adding cgroup_bpf_offline which calls percpu_ref_kill to cgroup_kill_sb can free root_cgrp->bpf.refcnt.data in umount path.

This patch also fixes the commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself"). A cgroup_bpf_offline is needed to do a cleanup that frees the resources which are allocated by cgroup_bpf_inherit in cgroup_setup_root.

And inside cgroup_bpf_offline, cgroup_get() is at the beginning and cgroup_put is at the end of cgroup_bpf_release which is called by cgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of cgroup's refcount.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2021-47488"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-22T09:15:10Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\ncgroup: Fix memory leak caused by missing cgroup_bpf_offline\n\nWhen enabling CONFIG_CGROUP_BPF, kmemleak can be observed by running\nthe command as below:\n\n    $mount -t cgroup -o none,name=foo cgroup cgroup/\n    $umount cgroup/\n\nunreferenced object 0xc3585c40 (size 64):\n  comm \"mount\", pid 425, jiffies 4294959825 (age 31.990s)\n  hex dump (first 32 bytes):\n    01 00 00 80 84 8c 28 c0 00 00 00 00 00 00 00 00  ......(.........\n    00 00 00 00 00 00 00 00 6c 43 a0 c3 00 00 00 00  ........lC......\n  backtrace:\n    [\u003ce95a2f9e\u003e] cgroup_bpf_inherit+0x44/0x24c\n    [\u003c1f03679c\u003e] cgroup_setup_root+0x174/0x37c\n    [\u003ced4b0ac5\u003e] cgroup1_get_tree+0x2c0/0x4a0\n    [\u003cf85b12fd\u003e] vfs_get_tree+0x24/0x108\n    [\u003cf55aec5c\u003e] path_mount+0x384/0x988\n    [\u003ce2d5e9cd\u003e] do_mount+0x64/0x9c\n    [\u003c208c9cfe\u003e] sys_mount+0xfc/0x1f4\n    [\u003c06dd06e0\u003e] ret_fast_syscall+0x0/0x48\n    [\u003ca8308cb3\u003e] 0xbeb4daa8\n\nThis is because that since the commit 2b0d3d3e4fcf (\"percpu_ref: reduce\nmemory footprint of percpu_ref in fast path\") root_cgrp-\u003ebpf.refcnt.data\nis allocated by the function percpu_ref_init in cgroup_bpf_inherit which\nis called by cgroup_setup_root when mounting, but not freed along with\nroot_cgrp when umounting. Adding cgroup_bpf_offline which calls\npercpu_ref_kill to cgroup_kill_sb can free root_cgrp-\u003ebpf.refcnt.data in\numount path.\n\nThis patch also fixes the commit 4bfc0bb2c60e (\"bpf: decouple the lifetime\nof cgroup_bpf from cgroup itself\"). A cgroup_bpf_offline is needed to do a\ncleanup that frees the resources which are allocated by cgroup_bpf_inherit\nin cgroup_setup_root.\n\nAnd inside cgroup_bpf_offline, cgroup_get() is at the beginning and\ncgroup_put is at the end of cgroup_bpf_release which is called by\ncgroup_bpf_offline. So cgroup_bpf_offline can keep the balance of\ncgroup\u0027s refcount.",
  "id": "GHSA-xvmj-27r5-9623",
  "modified": "2024-05-22T09:31:46Z",
  "published": "2024-05-22T09:31:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47488"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/01599bf7cc2b49c3d2be886cb438647dc25446ed"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/04f8ef5643bcd8bcde25dfdebef998aea480b2ba"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/b529f88d93884cf8ccafda793ee3d27b82fa578d"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.