In the Linux kernel, the following vulnerability has been resolved:
ax25: Fix refcount imbalance on inbound connections
When releasing a socket in ax25release(), we call netdevput() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes.
A typical call trace for the above situation will start with one of the following errors:
refcount_t: decrement hit 0; leaking memory.
refcount_t: underflow; use-after-free.
And will then have a trace like:
Call Trace:
<TASK>
? show_regs+0x64/0x70
? __warn+0x83/0x120
? refcount_warn_saturate+0xb2/0x100
? report_bug+0x158/0x190
? prb_read_valid+0x20/0x30
? handle_bug+0x3e/0x70
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? refcount_warn_saturate+0xb2/0x100
? refcount_warn_saturate+0xb2/0x100
ax25_release+0x2ad/0x360
__sock_release+0x35/0xa0
sock_close+0x19/0x20
[...]
On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop:
unregister_netdevice: waiting for ax0 to become free. Usage count = 0
This patch corrects these issues by ensuring that we call netdevhold() and ax25devhold() for new connections in ax25accept(). This makes the logic leading to ax25accept() match the logic for ax25bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().
{ "vanir_signatures": [ { "id": "CVE-2024-40910-086f4b63", "signature_type": "Function", "target": { "file": "net/ax25/af_ax25.c", "function": "ax25_accept" }, "signature_version": "v1", "digest": { "length": 989.0, "function_hash": "216479016879134730073234279053872288296" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c34fb0bd4a4237592c5ecb5b2e2531900c55774" }, { "id": "CVE-2024-40910-3722abee", "signature_type": "Function", "target": { "file": "net/ax25/af_ax25.c", "function": "ax25_accept" }, "signature_version": "v1", "digest": { "length": 992.0, "function_hash": "181564203976616453977703694787126639324" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@52100fd74ad07b53a4666feafff1cd11436362d3" }, { "id": "CVE-2024-40910-9db4ac29", "signature_type": "Line", "target": { "file": "net/ax25/af_ax25.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "231413395243334131944363410653271018918", "212979375508500879623101789602410270178", "173668079547284986840082092612005069471", "304305379185934311244233076656229172230", "309771897554683164468753952770917452168", "293400711513329605147684515980341937027", "12356964872696347025185920769411135733", "140239120732867851690703446654843558201", "267015774098367358559838313655561797508", "59348495161938152673406456863102988357" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@52100fd74ad07b53a4666feafff1cd11436362d3" }, { "id": "CVE-2024-40910-9e56c932", "signature_type": "Function", "target": { "file": "net/ax25/af_ax25.c", "function": "ax25_accept" }, "signature_version": "v1", "digest": { "length": 992.0, "function_hash": "181564203976616453977703694787126639324" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964" }, { "id": "CVE-2024-40910-ba67f07a", "signature_type": "Line", "target": { "file": "net/ax25/af_ax25.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "231413395243334131944363410653271018918", "212979375508500879623101789602410270178", "173668079547284986840082092612005069471", "304305379185934311244233076656229172230", "309771897554683164468753952770917452168", "293400711513329605147684515980341937027", "12356964872696347025185920769411135733", "140239120732867851690703446654843558201", "267015774098367358559838313655561797508", "59348495161938152673406456863102988357" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964" }, { "id": "CVE-2024-40910-e804e4d5", "signature_type": "Line", "target": { "file": "net/ax25/af_ax25.c" }, "signature_version": "v1", "digest": { "line_hashes": [ "90721322588189035242797874895324149983", "212979375508500879623101789602410270178", "173668079547284986840082092612005069471", "304305379185934311244233076656229172230", "309771897554683164468753952770917452168", "293400711513329605147684515980341937027", "12356964872696347025185920769411135733", "140239120732867851690703446654843558201", "267015774098367358559838313655561797508", "59348495161938152673406456863102988357" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3c34fb0bd4a4237592c5ecb5b2e2531900c55774" } ] }