Bug 1227832 (CVE-2024-40910) - VUL-0: CVE-2024-40910: kernel: ax25: Fix refcount imbalance on inbound connections
Summary: VUL-0: CVE-2024-40910: kernel: ax25: Fix refcount imbalance on inbound connec...
Status: NEW
Alias: CVE-2024-40910
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Normal
Target Milestone: ---
Assignee: Davide Benini
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/413837/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-40910:7.5:(AV:...
Keywords:
Depends on:
Blocks: 1227902
  Show dependency treegraph
 
Reported: 2024-07-15 13:39 UTC by SMASH SMASH
Modified: 2024-07-17 16:52 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-07-15 13:39:44 UTC 
In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix refcount imbalance on inbound connections

When releasing a socket in ax25_release(), we call netdev_put() to
decrease the refcount on the associated ax.25 device. However, the
execution path for accepting an incoming connection never calls
netdev_hold(). This imbalance leads to refcount errors, and ultimately
to kernel crashes.

A typical call trace for the above situation will start with one of the
following errors:

    refcount_t: decrement hit 0; leaking memory.
    refcount_t: underflow; use-after-free.

And will then have a trace like:

    Call Trace:
    <TASK>
    ? show_regs+0x64/0x70
    ? __warn+0x83/0x120
    ? refcount_warn_saturate+0xb2/0x100
    ? report_bug+0x158/0x190
    ? prb_read_valid+0x20/0x30
    ? handle_bug+0x3e/0x70
    ? exc_invalid_op+0x1c/0x70
    ? asm_exc_invalid_op+0x1f/0x30
    ? refcount_warn_saturate+0xb2/0x100
    ? refcount_warn_saturate+0xb2/0x100
    ax25_release+0x2ad/0x360
    __sock_release+0x35/0xa0
    sock_close+0x19/0x20
    [...]

On reboot (or any attempt to remove the interface), the kernel gets
stuck in an infinite loop:

    unregister_netdevice: waiting for ax0 to become free. Usage count = 0

This patch corrects these issues by ensuring that we call netdev_hold()
and ax25_dev_hold() for new connections in ax25_accept(). This makes the
logic leading to ax25_accept() match the logic for ax25_bind(): in both
cases we increment the refcount, which is ultimately decremented in
ax25_release().

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-40910
https://www.cve.org/CVERecord?id=CVE-2024-40910
https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774
https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3
https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964
https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb
https://git.kernel.org/pub/scm/linux/security/vulns.git/plain/cve/published/2024/CVE-2024-40910.mbox