Linux Kernel OrangeFS Module Memory Leak Vulnerability

A memory leak vulnerability has been identified in the OrangeFS module of the Linux kernel. This issue occurs in the 'orangefs_kernel_debug_init' and 'orangefs_client_debug_init' functions, where dynamically allocated memory is not properly released. The vulnerability leads to unreferenced objects remaining in memory, as indicated by kmemleak reports. The leaked memory is associated with the module insertion process, creating a potential for increased memory usage over time.

Impact

The vulnerability causes a memory leak, where allocated memory is not freed, leading to increased memory usage and potential exhaustion of system resources.

Reproduction

To reproduce this vulnerability, insert the OrangeFS module into the Linux kernel. After the module is loaded, remove it. During this process, the module's debug initialization functions will allocate memory that is not properly released, creating a memory leak. This can be verified by checking the kmemleak reports, which will show unreferenced objects corresponding to the leaked memory.

Remediation

The vulnerability has been addressed by modifying the OrangeFS module to use static global variables as buffers instead of dynamically allocating memory. Users should update to the latest version of the Linux kernel where this fix has been applied.