5.5

CVE-2023-53078

scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()

In the Linux kernel, the following vulnerability has been resolved:

scsi: scsi_dh_alua: Fix memleak for 'qdata' in alua_activate()

If alua_rtpg_queue() failed from alua_activate(), then 'qdata' is not
freed, which will cause following memleak:

unreferenced object 0xffff88810b2c6980 (size 32):
  comm "kworker/u16:2", pid 635322, jiffies 4355801099 (age 1216426.076s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    40 39 24 c1 ff ff ff ff 00 f8 ea 0a 81 88 ff ff  @9$.............
  backtrace:
    [<0000000098f3a26d>] alua_activate+0xb0/0x320
    [<000000003b529641>] scsi_dh_activate+0xb2/0x140
    [<000000007b296db3>] activate_path_work+0xc6/0xe0 [dm_multipath]
    [<000000007adc9ace>] process_one_work+0x3c5/0x730
    [<00000000c457a985>] worker_thread+0x93/0x650
    [<00000000cb80e628>] kthread+0x1ba/0x210
    [<00000000a1e61077>] ret_from_fork+0x22/0x30

Fix the problem by freeing 'qdata' in error path.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LinuxLinux Kernel Version >= 4.9.21 < 4.10
LinuxLinux Kernel Version >= 4.10.9 < 4.11
LinuxLinux Kernel Version >= 4.11.1 < 4.14.312
LinuxLinux Kernel Version >= 4.15 < 4.19.280
LinuxLinux Kernel Version >= 4.20 < 5.4.240
LinuxLinux Kernel Version >= 5.5 < 5.10.177
LinuxLinux Kernel Version >= 5.11 < 5.15.105
LinuxLinux Kernel Version >= 5.16 < 6.1.22
LinuxLinux Kernel Version >= 6.2 < 6.2.9
LinuxLinux Kernel Version4.11 Update-
LinuxLinux Kernel Version4.11 Updaterc5
LinuxLinux Kernel Version4.11 Updaterc6
LinuxLinux Kernel Version4.11 Updaterc7
LinuxLinux Kernel Version4.11 Updaterc8
LinuxLinux Kernel Version6.3 Updaterc1
LinuxLinux Kernel Version6.3 Updaterc2
LinuxLinux Kernel Version6.3 Updaterc3
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.17% 0.062
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.5 1.8 3.6
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE-401 Missing Release of Memory after Effective Lifetime

The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.

https://git.kernel.org/stable/c/123483df146492ca22b503ae6dacc2ce7c3a3974
Patch
https://git.kernel.org/stable/c/c110051d335ef7f62ad33474b0c23997fee5bfb5
Patch
https://git.kernel.org/stable/c/5c4d71424df34fc23dc5336d09394ce68c849542
Patch
https://git.kernel.org/stable/c/c09cdf6eb815ee35e55d6c50ac7f63db58bd20b8
Patch
https://git.kernel.org/stable/c/9311e7a554dffd3823499e309a8b86a5cd1540e5
Patch
https://git.kernel.org/stable/c/1c55982beb80c7d3c30278fc6cfda8496a31dbe6
Patch
https://git.kernel.org/stable/c/0d89254a4320eb7de0970c478172f764125c6355
Patch
https://git.kernel.org/stable/c/a13faca032acbf2699293587085293bdfaafc8ae
Patch