CVE-2024-40910

ax25: Fix refcount imbalance on inbound connections

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

ax25: Fix refcount imbalance on inbound connections

When releasing a socket in ax25_release(), we call netdev_put() to
decrease the refcount on the associated ax.25 device. However, the
execution path for accepting an incoming connection never calls
netdev_hold(). This imbalance leads to refcount errors, and ultimately
to kernel crashes.

A typical call trace for the above situation will start with one of the
following errors:

refcount_t: decrement hit 0; leaking memory.
refcount_t: underflow; use-after-free.

And will then have a trace like:

Call Trace:
<TASK>
? show_regs+0x64/0x70
? __warn+0x83/0x120
? refcount_warn_saturate+0xb2/0x100
? report_bug+0x158/0x190
? prb_read_valid+0x20/0x30
? handle_bug+0x3e/0x70
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? refcount_warn_saturate+0xb2/0x100
? refcount_warn_saturate+0xb2/0x100
ax25_release+0x2ad/0x360
__sock_release+0x35/0xa0
sock_close+0x19/0x20
[...]

On reboot (or any attempt to remove the interface), the kernel gets
stuck in an infinite loop:

unregister_netdevice: waiting for ax0 to become free. Usage count = 0

This patch corrects these issues by ensuring that we call netdev_hold()
and ax25_dev_hold() for new connections in ax25_accept(). This makes the
logic leading to ax25_accept() match the logic for ax25_bind(): in both
cases we increment the refcount, which is ultimately decremented in
ax25_release().

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2024-08-30 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (11)

URL	Tag	Source
https://git.kernel.org/stable/c/9fd75b66b8f68498454d685dc4ba13192ae069b0	Vuln. Introduced
https://git.kernel.org/stable/c/c44a453ffe16eb08acdc6129ac4fa0192dbc0456	Vuln. Introduced
https://git.kernel.org/stable/c/de55a1338e6a48ff1e41ea8db1432496fbe2a62b	Vuln. Introduced
https://git.kernel.org/stable/c/9e1e088a57c23251f1cfe9601bbd90ade2ea73b9	Vuln. Introduced
https://git.kernel.org/stable/c/b20a5ab0f5fb175750c6bafd4cf12daccf00c738	Vuln. Introduced
https://git.kernel.org/stable/c/452ae92b99062d2f6a34324eaf705a3b7eac9f8b	Vuln. Introduced
https://git.kernel.org/stable/c/534156dd4ed768e30a43de0036f45dca7c54818f	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb	2024-06-21
https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3	2024-06-21
https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964	2024-06-21
https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774	2024-06-01

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.1.95 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.1.95"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.6.35 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.6.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.9.6 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.9.6"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.18 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.277 Search vendor "Linux" for product "Linux Kernel" and version "4.14.277"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.19.240 Search vendor "Linux" for product "Linux Kernel" and version "4.19.240"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.4.190 Search vendor "Linux" for product "Linux Kernel" and version "5.4.190"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.10.112 Search vendor "Linux" for product "Linux Kernel" and version "5.10.112"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.15.35 Search vendor "Linux" for product "Linux Kernel" and version "5.15.35"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				5.17.2 Search vendor "Linux" for product "Linux Kernel" and version "5.17.2"		en		Affected