CVE-2024-41006

netrom: Fix a memory leak in nr_heartbeat_expiry()

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix a memory leak in nr_heartbeat_expiry()

syzbot reported a memory leak in nr_create() [0].

Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.")
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.

But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case "b."

nr_connect
nr_establish_data_link
nr_start_heartbeat

nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);

nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)

nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()

To fix the memory leak, let's call sock_hold() only for a listening socket.

Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.

[0]: https://syzkaller.appspot.com/bug?extid=d327a1f3b12e1e206c16

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-07-12 CVE Reserved
2024-07-12 CVE Published
2024-08-22 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (15)

URL	Tag	Source
https://git.kernel.org/stable/c/a31caf5779ace8fa98b0d454133808e082ee7a1b	Vuln. Introduced
https://git.kernel.org/stable/c/fe9b9e621cebe6b7e83f7e954c70f8bb430520e5	Vuln. Introduced
https://git.kernel.org/stable/c/7de16d75b20ab13b75a7291f449a1b00090edfea	Vuln. Introduced
https://git.kernel.org/stable/c/d2d3ab1b1de3302de2c85769121fd4f890e47ceb	Vuln. Introduced
https://git.kernel.org/stable/c/51e394c6f81adbfe7c34d15f58b3d4d44f144acf	Vuln. Introduced
https://git.kernel.org/stable/c/409db27e3a2eb5e8ef7226ca33be33361b3ed1c9	Vuln. Introduced
https://git.kernel.org/stable/c/e666990abb2e42dd4ba979b4706280a3664cfae7	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c	2024-07-05
https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313	2024-07-05
https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba	2024-07-05
https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937	2024-07-05
https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b	2024-06-27
https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8	2024-06-27
https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712	2024-06-27
https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735	2024-06-17

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 4.19.272 < 4.19.317 Search vendor "Linux" for product "Linux Kernel" and version " >= 4.19.272 < 4.19.317"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.4.231 < 5.4.279 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.231 < 5.4.279"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.10.166 < 5.10.221 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.10.166 < 5.10.221"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.15.91 < 5.15.162 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.15.91 < 5.15.162"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1.9 < 6.1.96 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1.9 < 6.1.96"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.6.36 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.6.36"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.9.7 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.9.7"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.2 < 6.10 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.2 < 6.10"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				4.14.305 Search vendor "Linux" for product "Linux Kernel" and version "4.14.305"		en		Affected