CVE-2024-41006
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
12/07/2024
Last modified:
21/08/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
netrom: Fix a memory leak in nr_heartbeat_expiry()<br />
<br />
syzbot reported a memory leak in nr_create() [0].<br />
<br />
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")<br />
added sock_hold() to the nr_heartbeat_expiry() function, where<br />
a) a socket has a SOCK_DESTROY flag or<br />
b) a listening socket has a SOCK_DEAD flag.<br />
<br />
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor<br />
has already been closed and the nr_release() function has been called.<br />
So it makes no sense to hold the reference count because no one will<br />
call another nr_destroy_socket() and put it as in the case "b."<br />
<br />
nr_connect<br />
nr_establish_data_link<br />
nr_start_heartbeat<br />
<br />
nr_release<br />
switch (nr->state)<br />
case NR_STATE_3<br />
nr->state = NR_STATE_2<br />
sock_set_flag(sk, SOCK_DESTROY);<br />
<br />
nr_rx_frame<br />
nr_process_rx_frame<br />
switch (nr->state)<br />
case NR_STATE_2<br />
nr_state2_machine()<br />
nr_disconnect()<br />
nr_sk(sk)->state = NR_STATE_0<br />
sock_set_flag(sk, SOCK_DEAD)<br />
<br />
nr_heartbeat_expiry<br />
switch (nr->state)<br />
case NR_STATE_0<br />
if (sock_flag(sk, SOCK_DESTROY) ||<br />
(sk->sk_state == TCP_LISTEN<br />
&& sock_flag(sk, SOCK_DEAD)))<br />
sock_hold() // ( !!! )<br />
nr_destroy_socket()<br />
<br />
To fix the memory leak, let&#39;s call sock_hold() only for a listening socket.<br />
<br />
Found by InfoTeCS on behalf of Linux Verification Center<br />
(linuxtesting.org) with Syzkaller.<br />
<br />
[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 4.19.272 (including) | 4.19.317 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.4.231 (including) | 5.4.279 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.10.166 (including) | 5.10.221 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 5.15.91 (including) | 5.15.162 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.1.9 (including) | 6.1.96 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.2 (including) | 6.6.36 (excluding) |
| cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.7 (including) | 6.9.7 (excluding) |
| cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:* | ||
| cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
- https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
- https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
- https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
- https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
- https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
- https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
- https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313