CVE-2024-40910

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*

History

21 Nov 2024, 09:31

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 - Patch () https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 - Patch
References () https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3 - Patch () https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3 - Patch
References () https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964 - Patch () https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964 - Patch
References () https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb - Patch () https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb - Patch

29 Aug 2024, 13:55

Type Values Removed Values Added
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 5.5
CWE NVD-CWE-Other
First Time Linux linux Kernel
Linux
References () https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 - () https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 - Patch
References () https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3 - () https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3 - Patch
References () https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964 - () https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964 - Patch
References () https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb - () https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb - Patch
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: ax25: corrige el desequilibrio de recuento en conexiones entrantes Al liberar un socket en ax25_release(), llamamos a netdev_put() para disminuir el recuento en el dispositivo ax.25 asociado. Sin embargo, la ruta de ejecución para aceptar una conexión entrante nunca llama a netdev_hold(). Este desequilibrio conduce a errores de recuento y, en última instancia, a fallos del kernel. Un seguimiento de llamada típico para la situación anterior comenzará con uno de los siguientes errores: refcount_t: decrement hit 0; pérdida de memoria. refcount_t: desbordamiento insuficiente; use-after-free. Y luego tendrá un seguimiento como: Call Trace: ? show_regs+0x64/0x70? __advertir+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100? report_bug+0x158/0x190? prb_read_valid+0x20/0x30? handle_bug+0x3e/0x70? exc_invalid_op+0x1c/0x70? asm_exc_invalid_op+0x1f/0x30? refcount_warn_saturate+0xb2/0x100? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] Al reiniciar (o cualquier intento de eliminar la interfaz), el kernel se atasca en un bucle infinito: unregister_netdevice: esperando ax0 para quedar libre. Recuento de uso = 0 Este parche corrige estos problemas asegurando que llamemos a netdev_hold() y ax25_dev_hold() para nuevas conexiones en ax25_accept(). Esto hace que la lógica que conduce a ax25_accept() coincida con la lógica de ax25_bind(): en ambos casos incrementamos el refcount, que finalmente disminuye en ax25_release().

12 Jul 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-12 13:15

Updated : 2024-11-21 09:31


NVD link : CVE-2024-40910

Mitre link : CVE-2024-40910

CVE.ORG link : CVE-2024-40910


JSON object : View

Products Affected

linux

  • linux_kernel