CVE-2022-49890

In the Linux kernel, the following vulnerability has been resolved: capabilities: fix potential memleak on error path from vfs_getxattr_alloc() In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to complete the memory allocation of tmpbuf, if we have completed the memory allocation of tmpbuf, but failed to call handler->get(...), there will be a memleak in below logic: |-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...) | /* ^^^ alloc for tmpbuf */ |-- value = krealloc(*xattr_value, error + 1, flags) | /* ^^^ alloc memory */ |-- error = handler->get(handler, ...) | /* error! */ |-- *xattr_value = value | /* xattr_value is &tmpbuf (memory leak!) */ So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it. [PM: subject line and backtrace tweaks]

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/0c3e6288da650d1ec911a259c77bc2d88e498603	Patch
https://git.kernel.org/stable/c/2de8eec8afb75792440b8900a01d52b8f6742fd1	Patch
https://git.kernel.org/stable/c/6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85	Patch
https://git.kernel.org/stable/c/7480aeff0093d8c54377553ec6b31110bea37b4d	Patch
https://git.kernel.org/stable/c/8cf0a1bc12870d148ae830a4ba88cfdf0e879cee	Patch
https://git.kernel.org/stable/c/90577bcc01c4188416a47269f8433f70502abe98	Patch
https://git.kernel.org/stable/c/cdf01c807e974048c43c7fd3ca574f6086a57906	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc1::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc2::::::
	cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::

History

07 May 2025, 13:19

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.5
CWE		CWE-401
CPE		cpe:2.3:o:linux:linux_kernel:::::::: cpe:2.3:o:linux:linux_kernel:6.1:rc1:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc2:::::: cpe:2.3:o:linux:linux_kernel:6.1:rc3::::::
References	~~() https://git.kernel.org/stable/c/0c3e6288da650d1ec911a259c77bc2d88e498603 -~~	() https://git.kernel.org/stable/c/0c3e6288da650d1ec911a259c77bc2d88e498603 - Patch
References	~~() https://git.kernel.org/stable/c/2de8eec8afb75792440b8900a01d52b8f6742fd1 -~~	() https://git.kernel.org/stable/c/2de8eec8afb75792440b8900a01d52b8f6742fd1 - Patch
References	~~() https://git.kernel.org/stable/c/6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85 -~~	() https://git.kernel.org/stable/c/6bb00eb21c0fbf18e5d3538c9ff0cf63fd0ace85 - Patch
References	~~() https://git.kernel.org/stable/c/7480aeff0093d8c54377553ec6b31110bea37b4d -~~	() https://git.kernel.org/stable/c/7480aeff0093d8c54377553ec6b31110bea37b4d - Patch
References	~~() https://git.kernel.org/stable/c/8cf0a1bc12870d148ae830a4ba88cfdf0e879cee -~~	() https://git.kernel.org/stable/c/8cf0a1bc12870d148ae830a4ba88cfdf0e879cee - Patch
References	~~() https://git.kernel.org/stable/c/90577bcc01c4188416a47269f8433f70502abe98 -~~	() https://git.kernel.org/stable/c/90577bcc01c4188416a47269f8433f70502abe98 - Patch
References	~~() https://git.kernel.org/stable/c/cdf01c807e974048c43c7fd3ca574f6086a57906 -~~	() https://git.kernel.org/stable/c/cdf01c807e974048c43c7fd3ca574f6086a57906 - Patch
First Time		Linux linux Kernel Linux

02 May 2025, 13:52

Type	Values Removed	Values Added
Summary		(es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: capacidades: reparar posible fuga de memoria en la ruta de error de vfs_getxattr_alloc() En cap_inode_getsecurity(), utilizaremos vfs_getxattr_alloc() para completar la asignación de memoria de tmpbuf, si hemos completado la asignación de memoria de tmpbuf, pero no pudimos llamar a handler->get(...), habrá una fuga de memoria en la siguiente lógica: \|-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...) \| /* ^^^ asignar para tmpbuf / \|-- valor = krealloc(xattr_value, error + 1, flags) \| /* ^^^ asignar memoria / \|-- error = handler->get(handler, ...) \| / ¡error! / \|-- xattr_value = valor \| /* xattr_value es &tmpbuf (¡pérdida de memoria!) */ Intentaremos liberar (tmpbuf) después de que vfs_getxattr_alloc() no pueda solucionarlo. [MP: línea de asunto y ajustes de backtrace]

01 May 2025, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-01 15:16

Updated : 2025-05-07 13:19

NVD link : CVE-2022-49890

Mitre link : CVE-2022-49890

CVE.ORG link : CVE-2022-49890

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-401

Missing Release of Memory after Effective Lifetime

5.5 /10