Bug 1227862 (CVE-2024-41006)

Summary: VUL-0: CVE-2024-41006: kernel: netrom: fix a memory leak in nr_heartbeat_expiry()
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: CVE kernel patch monkeys <cve-kpm>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: camila.matos, miroslav.franc
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/413933/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-41006:4.4:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-07-15 16:55:00 UTC 
In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix a memory leak in nr_heartbeat_expiry()

syzbot reported a memory leak in nr_create() [0].

Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.

But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."

nr_connect
  nr_establish_data_link
    nr_start_heartbeat

nr_release
  switch (nr->state)
  case NR_STATE_3
    nr->state = NR_STATE_2
    sock_set_flag(sk, SOCK_DESTROY);

                        nr_rx_frame
                          nr_process_rx_frame
                            switch (nr->state)
                            case NR_STATE_2
                              nr_state2_machine()
                                nr_disconnect()
                                  nr_sk(sk)->state = NR_STATE_0
                                  sock_set_flag(sk, SOCK_DEAD)

                        nr_heartbeat_expiry
                          switch (nr->state)
                          case NR_STATE_0
                            if (sock_flag(sk, SOCK_DESTROY) ||
                               (sk->sk_state == TCP_LISTEN
                                 && sock_flag(sk, SOCK_DEAD)))
                               sock_hold()  // ( !!! )
                               nr_destroy_socket()

To fix the memory leak, let's call sock_hold() only for a listening socket.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.

[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-41006
https://www.cve.org/CVERecord?id=CVE-2024-41006
https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-41006.mbox