CVE-2024-40910
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
ax25: Fix refcount imbalance on inbound connections
When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes.
A typical call trace for the above situation will start with one of the following errors:
refcount_t: decrement hit 0; leaking memory.
refcount_t: underflow; use-after-free.
And will then have a trace like:
Call Trace:
<TASK>
? show_regs+0x64/0x70
? __warn+0x83/0x120
? refcount_warn_saturate+0xb2/0x100
? report_bug+0x158/0x190
? prb_read_valid+0x20/0x30
? handle_bug+0x3e/0x70
? exc_invalid_op+0x1c/0x70
? asm_exc_invalid_op+0x1f/0x30
? refcount_warn_saturate+0xb2/0x100
? refcount_warn_saturate+0xb2/0x100
ax25_release+0x2ad/0x360
__sock_release+0x35/0xa0
sock_close+0x19/0x20
[...]
On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop:
unregister_netdevice: waiting for ax0 to become free. Usage count = 0
This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | 9fd75b66b8f68498454d685dc4ba13192ae069b0 < f4df9d6c8d4e4c818252b0419c2165d66eabd4eb | affected |
| Linux | Linux | 9fd75b66b8f68498454d685dc4ba13192ae069b0 < 52100fd74ad07b53a4666feafff1cd11436362d3 | affected |
| Linux | Linux | 9fd75b66b8f68498454d685dc4ba13192ae069b0 < a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964 | affected |
| Linux | Linux | 9fd75b66b8f68498454d685dc4ba13192ae069b0 < 3c34fb0bd4a4237592c5ecb5b2e2531900c55774 | affected |
| Linux | Linux | c44a453ffe16eb08acdc6129ac4fa0192dbc0456 | affected |
| Linux | Linux | de55a1338e6a48ff1e41ea8db1432496fbe2a62b | affected |
| Linux | Linux | 9e1e088a57c23251f1cfe9601bbd90ade2ea73b9 | affected |
| Linux | Linux | b20a5ab0f5fb175750c6bafd4cf12daccf00c738 | affected |
| Linux | Linux | 452ae92b99062d2f6a34324eaf705a3b7eac9f8b | affected |
| Linux | Linux | 534156dd4ed768e30a43de0036f45dca7c54818f | affected |
| Linux | Linux | 4.14.277 < 4.15 | affected |
| Linux | Linux | 4.19.240 < 4.20 | affected |
| Linux | Linux | 5.4.190 < 5.5 | affected |
| Linux | Linux | 5.10.112 < 5.11 | affected |
| Linux | Linux | 5.15.35 < 5.16 | affected |
| Linux | Linux | 5.17.2 < 5.18 | affected |
| Linux | Linux | 5.18 | affected |
| Linux | Linux | 0 < 5.18 | unaffected |
| Linux | Linux | 6.1.95 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.35 <= 6.6.* | unaffected |
| Linux | Linux | 6.9.6 <= 6.9.* | unaffected |
| Linux | Linux | 6.10 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb
- https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3
- https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964
- https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://git.kernel.org/stable/c/f4df9d6c8d4e4c818252b0419c2165d66eabd4eb
- https://git.kernel.org/stable/c/52100fd74ad07b53a4666feafff1cd11436362d3
- https://git.kernel.org/stable/c/a723a6c8d4831cc8e2c7b0c9f3f0c010d4671964
- https://git.kernel.org/stable/c/3c34fb0bd4a4237592c5ecb5b2e2531900c55774
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.