CVE-2024-41006

netrom: Fix a memory leak in nr_heartbeat_expiry()

Severity Score

5.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

In the Linux kernel, the following vulnerability has been resolved: netrom: Fix a memory leak in nr_heartbeat_expiry() syzbot reported a memory leak in nr_create() [0]. Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag. But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b." nr_connect nr_establish_data_link nr_start_heartbeat nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY); nr_rx_frame nr_process_rx_frame switch (nr->state) case NR_STATE_2 nr_state2_machine() nr_disconnect() nr_sk(sk)->state = NR_STATE_0 sock_set_flag(sk, SOCK_DEAD) nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sock_flag(sk, SOCK_DESTROY) || (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD))) sock_hold() // ( !!! ) nr_destroy_socket() To fix the memory leak, let's call sock_hold() only for a listening socket. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller. [0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2024-12-19 CVE Updated
2025-03-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (15)

URL	Tag	Source
https://git.kernel.org/stable/c/a31caf5779ace8fa98b0d454133808e082ee7a1b	Vuln. Introduced
https://git.kernel.org/stable/c/fe9b9e621cebe6b7e83f7e954c70f8bb430520e5	Vuln. Introduced
https://git.kernel.org/stable/c/7de16d75b20ab13b75a7291f449a1b00090edfea	Vuln. Introduced
https://git.kernel.org/stable/c/d2d3ab1b1de3302de2c85769121fd4f890e47ceb	Vuln. Introduced
https://git.kernel.org/stable/c/51e394c6f81adbfe7c34d15f58b3d4d44f144acf	Vuln. Introduced
https://git.kernel.org/stable/c/409db27e3a2eb5e8ef7226ca33be33361b3ed1c9	Vuln. Introduced
https://git.kernel.org/stable/c/e666990abb2e42dd4ba979b4706280a3664cfae7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c	2024-07-05
https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313	2024-07-05
https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba	2024-07-05
https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937	2024-07-05
https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b	2024-06-27
https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8	2024-06-27
https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712	2024-06-27
https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735	2024-06-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.272 < 4.19.317 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.272 < 4.19.317"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.231 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.231 < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.166 < 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.166 < 5.10.221"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.91 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.91 < 5.15.162"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.9 < 6.1.96 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.9 < 6.1.96"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.6.36 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.6.36"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.9.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.9.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.305 Search vendor "Linux" for product "Linux Kernel" and version "4.14.305"		en		Affected