Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2014-2851: current group_info should be put after using.

Integer overflow in the ping_init_sock function in net/ipv4/ping.c in the Linux kernel through 3.14.1 allows local users to cause a denial of service (use-after-free and system crash) or possibly gain privileges via a crafted application that leverages an improperly managed reference counter.

CVE
#linux#dos#git#intel#perl#xiaomi

Subject

[PATCH] net: ipv4: current group_info should be put after using.

From

Date

Fri, 11 Apr 2014 13:37:08 -0400

There is a memory leak in ping. Current group_info had been got in
ping_init_sock and group_info->usage increased.
But the usage hasn’t decreased anywhere in ping.
This will make this group_info never freed and cause memory leak.

unreferenced object 0xcd0e8840 (size 192):
comm "dumpstate", pid 7583, jiffies 78360 (age 91.810s)
hex dump (first 32 bytes):
02 00 00 00 06 00 00 00 01 00 00 00 ef 03 00 00 …
f1 03 00 00 f7 03 00 00 04 04 00 00 bb 0b 00 00 …
backtrace:
[<c1a6bbfc>] kmemleak_alloc+0x3c/0xa0
[<c1320457>] __kmalloc+0xe7/0x1d0
[<c1267c04>] groups_alloc+0x34/0xb0
[<c1267e5c>] SyS_setgroups+0x3c/0xf0
[<c1a864a8>] syscall_call+0x7/0xb
[<ffffffff>] 0xffffffff

Signed-off-by: Chuansheng Liu [email protected]
Signed-off-by: Zhang Dongxing [email protected]
Signed-off-by: xiaoming wang [email protected]

net/ipv4/ping.c | 11 +++++++±–
1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c
index f4b19e5…2af7b1f 100644
— a/net/ipv4/ping.c
+++ b/net/ipv4/ping.c
@@ -255,23 +255,28 @@ int ping_init_sock(struct sock *sk)
struct group_info *group_info = get_current_groups();
int i, j, count = group_info->ngroups;
kgid_t low, high;

  • int ret = 0;

    inet_get_ping_group_range_net(net, &low, &high);
    if (gid_lte(low, group) && gid_lte(group, high))
    - return 0;

  •   goto out\_release\_group;
    

    for (i = 0; i < group_info->nblocks; i++) {
    int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
    for (j = 0; j < cp_count; j++) {
    kgid_t gid = group_info->blocks[i][j];
    if (gid_lte(low, gid) && gid_lte(gid, high))
    - return 0;

  •           goto out\_release\_group;  
      }
    
      count -= cp\_count;  
    

    }

  • return -EACCES;
  • ret = -EACCES;

+out_release_group:

  • put_group_info(group_info);
  • return ret;
    }
    EXPORT_SYMBOL_GPL(ping_init_sock);


1.7.1

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907