Overview
About vulnerability
In the Linux kernel, the following vulnerability has been resolved:
capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to complete the memory allocation of tmpbuf, if we have completed the memory allocation of tmpbuf, but failed to call handler->get(…), there will be a memleak in below logic:
|– ret = (int)vfs_getxattr_alloc(mnt_userns, …) | /* ^^^ alloc for tmpbuf */ |– value = krealloc(xattr_value, error + 1, flags) | / ^^^ alloc memory / |– error = handler->get(handler, …) | / error! */ |– xattr_value = value | / xattr_value is &tmpbuf (memory leak!) */
So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.
[PM: subject line and backtrace tweaks]
Details
- Affected product:
- AlmaLinux 9.2 ESU , CentOS 8.4 ELS , CentOS 8.5 ELS , CentOS Stream 8 ELS , Oracle Linux 7 ELS , TuxCare 9.6 ESU , Ubuntu 16.04 ELS , Ubuntu 18.04 ELS , Ubuntu 20.04 ELS
- Affected packages:
- kernel @ 4.18.0 (+8 more)
In the Linux kernel, the following vulnerability has been resolved:
capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to complete the memory allocation of tmpbuf, if we have completed the memory allocation of tmpbuf, but failed to call handler->get(…), there will be a memleak in below logic:
|– ret = (int)vfs_getxattr_alloc(mnt_userns, …) | /* ^^^ alloc for tmpbuf */ |– value = krealloc(xattr_value, error + 1, flags) | / ^^^ alloc memory / |– error = handler->get(handler, …) | / error! */ |– xattr_value = value | / xattr_value is &tmpbuf (memory leak!) */
So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.
[PM: subject line and backtrace tweaks]