CVE-2024-26961

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mac802154: fix llsec key resources release in mac802154_llsec_key_del<br /> <br /> mac802154_llsec_key_del() can free resources of a key directly without<br /> following the RCU rules for waiting before the end of a grace period. This<br /> may lead to use-after-free in case llsec_lookup_key() is traversing the<br /> list of keys in parallel with a key deletion:<br /> <br /> refcount_t: addition on 0; use-after-free.<br /> WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0<br /> Modules linked in:<br /> CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014<br /> RIP: 0010:refcount_warn_saturate+0x162/0x2a0<br /> Call Trace:<br /> <br /> llsec_lookup_key.isra.0+0x890/0x9e0<br /> mac802154_llsec_encrypt+0x30c/0x9c0<br /> ieee802154_subif_start_xmit+0x24/0x1e0<br /> dev_hard_start_xmit+0x13e/0x690<br /> sch_direct_xmit+0x2ae/0xbc0<br /> __dev_queue_xmit+0x11dd/0x3c20<br /> dgram_sendmsg+0x90b/0xd60<br /> __sys_sendto+0x466/0x4c0<br /> __x64_sys_sendto+0xe0/0x1c0<br /> do_syscall_64+0x45/0xf0<br /> entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> <br /> Also, ieee802154_llsec_key_entry structures are not freed by<br /> mac802154_llsec_key_del():<br /> <br /> unreferenced object 0xffff8880613b6980 (size 64):<br /> comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)<br /> hex dump (first 32 bytes):<br /> 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......".......<br /> 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................<br /> backtrace:<br /> [] __kmem_cache_alloc_node+0x1e2/0x2d0<br /> [] kmalloc_trace+0x25/0xc0<br /> [] mac802154_llsec_key_add+0xac9/0xcf0<br /> [] ieee802154_add_llsec_key+0x5a/0x80<br /> [] nl802154_add_llsec_key+0x426/0x5b0<br /> [] genl_family_rcv_msg_doit+0x1fe/0x2f0<br /> [] genl_rcv_msg+0x531/0x7d0<br /> [] netlink_rcv_skb+0x169/0x440<br /> [] genl_rcv+0x28/0x40<br /> [] netlink_unicast+0x53c/0x820<br /> [] netlink_sendmsg+0x93b/0xe60<br /> [] ____sys_sendmsg+0xac5/0xca0<br /> [] ___sys_sendmsg+0x11d/0x1c0<br /> [] __sys_sendmsg+0xfa/0x1d0<br /> [] do_syscall_64+0x45/0xf0<br /> [] entry_SYSCALL_64_after_hwframe+0x6e/0x76<br /> <br /> Handle the proper resource release in the RCU callback function<br /> mac802154_llsec_key_del_rcu().<br /> <br /> Note that if llsec_lookup_key() finds a key, it gets a refcount via<br /> llsec_key_get() and locally copies key id from key_entry (which is a<br /> list element). So it&amp;#39;s safe to call llsec_key_put() and free the list<br /> entry after the RCU grace period elapses.<br /> <br /> Found by Linux Verification Center (linuxtesting.org).