| Summary: |
VUL-0: CVE-2024-40910: kernel: ax25: Fix refcount imbalance on inbound connections |
| Product: |
[Novell Products] SUSE Security Incidents
|
Reporter: |
SMASH SMASH <smash_bz> |
| Component: |
Incidents | Assignee: |
Davide Benini <davide.benini> |
| Status: |
NEW
---
|
QA Contact: |
Security Team bot <security-team> |
| Severity: |
Normal
|
|
|
| Priority: |
P2 - High
|
CC: |
andrea.mattiazzo, davide.benini, denis.kirjanov, miroslav.franc, mkubecek
|
| Version: |
unspecified | |
|
| Target Milestone: |
--- | |
|
| Hardware: |
Other | |
|
| OS: |
Other | |
|
| URL: |
https://smash.suse.de/issue/413837/
|
| Whiteboard: |
CVSSv3.1:SUSE:CVE-2024-40910:7.5:(AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
|
Found By:
|
Security Response Team
|
Services Priority:
|
|
|---|
|
Business Priority:
|
|
Blocker:
|
---
|
|---|
|
Marketing QA Status:
|
---
|
IT Deployment:
|
---
|
|---|
| Bug Depends on: |
|
|
|
| Bug Blocks: |
1227902
|
|
|
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount imbalance on inbound connections When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes. A typical call trace for the above situation will start with one of the following errors: refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free. And will then have a trace like: Call Trace: <TASK> ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...] On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop: unregister_netdevice: waiting for ax0 to become free. Usage count = 0 This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release(). References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40910 https://www.cve.org/CVERecord?id=CVE-2024-40910 https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774 https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3 https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964 https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-40910.mbox