fkie_cve-2024-41006
Vulnerability from fkie_nvd
Published
2024-07-12 13:15
Modified
2024-11-21 09:32
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix a memory leak in nr_heartbeat_expiry()
syzbot reported a memory leak in nr_create() [0].
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."
nr_connect
nr_establish_data_link
nr_start_heartbeat
nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let's call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | * | |
| linux | linux_kernel | 6.10 | |
| linux | linux_kernel | 6.10 | |
| linux | linux_kernel | 6.10 | |
| linux | linux_kernel | 6.10 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "0799BB5F-A0F0-4290-872D-24364C18F638", versionEndExcluding: "4.19.317", versionStartIncluding: "4.19.272", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "4821FCF8-B57B-4F3C-B3FC-5CFAEA2C6BC5", versionEndExcluding: "5.4.279", versionStartIncluding: "5.4.231", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "E81DAF77-0E91-457C-AC9D-117B2D0BF7CB", versionEndExcluding: "5.10.221", versionStartIncluding: "5.10.166", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "2E0E5DA0-5043-4127-8316-B0E03B88EE6E", versionEndExcluding: "5.15.162", versionStartIncluding: "5.15.91", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "012144F5-2368-4D39-ABE2-07E7568304BB", versionEndExcluding: "6.1.96", versionStartIncluding: "6.1.9", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "E1046C95-860A-45B0-B718-2B29F65BFF10", versionEndExcluding: "6.6.36", versionStartIncluding: "6.2", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", matchCriteriaId: "0A047AF2-94AC-4A3A-B32D-6AB930D8EF1C", versionEndExcluding: "6.9.7", versionStartIncluding: "6.7", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.10:rc1:*:*:*:*:*:*", matchCriteriaId: "2EBB4392-5FA6-4DA9-9772-8F9C750109FA", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.10:rc2:*:*:*:*:*:*", matchCriteriaId: "331C2F14-12C7-45D5-893D-8C52EE38EA10", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.10:rc3:*:*:*:*:*:*", matchCriteriaId: "3173713D-909A-4DD3-9DD4-1E171EB057EE", vulnerable: true, }, { criteria: "cpe:2.3:o:linux:linux_kernel:6.10:rc4:*:*:*:*:*:*", matchCriteriaId: "79F18AFA-40F7-43F0-BA30-7BDB65F918B9", vulnerable: true, }, ], negate: false, operator: "OR", }, ], }, ], cveTags: [], descriptions: [ { lang: "en", value: "In the Linux kernel, the following vulnerability has been resolved:\n\nnetrom: Fix a memory leak in nr_heartbeat_expiry()\n\nsyzbot reported a memory leak in nr_create() [0].\n\nCommit 409db27e3a2e (\"netrom: Fix use-after-free of a listening socket.\")\nadded sock_hold() to the nr_heartbeat_expiry() function, where\na) a socket has a SOCK_DESTROY flag or\nb) a listening socket has a SOCK_DEAD flag.\n\nBut in the case \"a,\" when the SOCK_DESTROY flag is set, the file descriptor\nhas already been closed and the nr_release() function has been called.\nSo it makes no sense to hold the reference count because no one will\ncall another nr_destroy_socket() and put it as in the case \"b.\"\n\nnr_connect\n nr_establish_data_link\n nr_start_heartbeat\n\nnr_release\n switch (nr->state)\n case NR_STATE_3\n nr->state = NR_STATE_2\n sock_set_flag(sk, SOCK_DESTROY);\n\n nr_rx_frame\n nr_process_rx_frame\n switch (nr->state)\n case NR_STATE_2\n nr_state2_machine()\n nr_disconnect()\n nr_sk(sk)->state = NR_STATE_0\n sock_set_flag(sk, SOCK_DEAD)\n\n nr_heartbeat_expiry\n switch (nr->state)\n case NR_STATE_0\n if (sock_flag(sk, SOCK_DESTROY) ||\n (sk->sk_state == TCP_LISTEN\n && sock_flag(sk, SOCK_DEAD)))\n sock_hold() // ( !!! )\n nr_destroy_socket()\n\nTo fix the memory leak, let's call sock_hold() only for a listening socket.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller.\n\n[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", }, { lang: "es", value: "En el kernel de Linux, se resolvió la siguiente vulnerabilidad: netrom: corrige una pérdida de memoria en nr_heartbeat_expiry() syzbot informó una pérdida de memoria en nr_create() [0]. El commit 409db27e3a2e (\"netrom: Reparar el use-after-free de un socket de escucha\") agregó sock_hold() a la función nr_heartbeat_expiry(), donde a) un socket tiene un indicador SOCK_DESTROY ob) un socket de escucha tiene un indicador SOCK_DEAD. Pero en el caso \"a\", cuando se establece el indicador SOCK_DESTROY, el descriptor de archivo ya se ha cerrado y se ha llamado a la función nr_release(). Por lo tanto, no tiene sentido mantener el recuento de referencias porque nadie llamará a otro nr_destroy_socket() y lo pondrá como en el caso \"b\". nr_connect nr_establecer_data_link nr_start_heartbeat nr_release interruptor (nr->estado) caso NR_STATE_3 nr->estado = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame interruptor (nr->estado) caso NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->estado = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry interruptor (nr->estado) caso NR_STATE_0 if (sock_flag(sk, OCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() Para solucionar la pérdida de memoria, llamemos a sock_hold() solo para un socket de escucha. Encontrado por InfoTeCS en nombre del Centro de verificación de Linux (linuxtesting.org) con Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16", }, ], id: "CVE-2024-41006", lastModified: "2024-11-21T09:32:03.057", metrics: { cvssMetricV31: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 5.5, baseSeverity: "MEDIUM", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", version: "3.1", }, exploitabilityScore: 1.8, impactScore: 3.6, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2024-07-12T13:15:21.370", references: [ { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", }, { source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Mailing List", "Patch", ], url: "https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313", }, ], sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-401", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.