CVE-2024-41006
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix a memory leak in nr_heartbeat_expiry()
syzbot reported a memory leak in nr_create() 0.
Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag.
But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b."
nr_connect nr_establish_data_link nr_start_heartbeat
nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let's call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | a31caf5779ace8fa98b0d454133808e082ee7a1b < d616876256b38ecf9a1a1c7d674192c5346bc69c | affected |
| Linux | Linux | fe9b9e621cebe6b7e83f7e954c70f8bb430520e5 < e07a9c2a850cdebf625e7a1b8171bd23a8554313 | affected |
| Linux | Linux | 7de16d75b20ab13b75a7291f449a1b00090edfea < 5391f9db2cab5ef1cb411be1ab7dbec728078fba | affected |
| Linux | Linux | d2d3ab1b1de3302de2c85769121fd4f890e47ceb < 280cf1173726a7059b628c610c71050d5c0b6937 | affected |
| Linux | Linux | 51e394c6f81adbfe7c34d15f58b3d4d44f144acf < a02fd5d775cf9787ee7698c797e20f2fa13d2e2b | affected |
| Linux | Linux | 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 < b6ebe4fed73eedeb73f4540f8edc4871945474c8 | affected |
| Linux | Linux | 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 < d377f5a28332954b19e373d36823e59830ab1712 | affected |
| Linux | Linux | 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 < 0b9130247f3b6a1122478471ff0e014ea96bb735 | affected |
| Linux | Linux | e666990abb2e42dd4ba979b4706280a3664cfae7 | affected |
| Linux | Linux | 4.19.272 < 4.19.317 | affected |
| Linux | Linux | 5.4.231 < 5.4.279 | affected |
| Linux | Linux | 5.10.166 < 5.10.221 | affected |
| Linux | Linux | 5.15.91 < 5.15.162 | affected |
| Linux | Linux | 6.1.9 < 6.1.96 | affected |
| Linux | Linux | 4.14.305 < 4.15 | affected |
| Linux | Linux | 6.2 | affected |
| Linux | Linux | 0 < 6.2 | unaffected |
| Linux | Linux | 4.19.317 <= 4.19.* | unaffected |
| Linux | Linux | 5.4.279 <= 5.4.* | unaffected |
| Linux | Linux | 5.10.221 <= 5.10.* | unaffected |
| Linux | Linux | 5.15.162 <= 5.15.* | unaffected |
| Linux | Linux | 6.1.96 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.36 <= 6.6.* | unaffected |
| Linux | Linux | 6.9.7 <= 6.9.* | unaffected |
| Linux | Linux | 6.10 <= * | unaffected |
Weaknesses
ADP Enrichment
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
- https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313
- https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
- https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
- https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
- https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
- https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
- https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
Additional References
- https://cert-portal.siemens.com/productcert/html/ssa-265688.html
- https://cert-portal.siemens.com/productcert/html/ssa-613116.html
- https://cert-portal.siemens.com/productcert/html/ssa-355557.html
References
- https://git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
- https://git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313
- https://git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
- https://git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
- https://git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
- https://git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
- https://git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
- https://git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.