CVE-2024-41006

Summary

In the Linux kernel, the following vulnerability has been resolved:

netrom: Fix a memory leak in nr_heartbeat_expiry()

syzbot reported a memory leak in nr_create() 0.

Commit 409db27e3a2e ("netrom: Fix use-after-free of a listening socket.") added sock_hold() to the nr_heartbeat_expiry() function, where a) a socket has a SOCK_DESTROY flag or b) a listening socket has a SOCK_DEAD flag.

But in the case "a," when the SOCK_DESTROY flag is set, the file descriptor has already been closed and the nr_release() function has been called. So it makes no sense to hold the reference count because no one will call another nr_destroy_socket() and put it as in the case "b."

nr_connect nr_establish_data_link nr_start_heartbeat

nr_release switch (nr->state) case NR_STATE_3 nr->state = NR_STATE_2 sock_set_flag(sk, SOCK_DESTROY);

                    nr_rx_frame
                      nr_process_rx_frame
                        switch (nr->state)
                        case NR_STATE_2
                          nr_state2_machine()
                            nr_disconnect()
                              nr_sk(sk)->state = NR_STATE_0
                              sock_set_flag(sk, SOCK_DEAD)

                    nr_heartbeat_expiry
                      switch (nr->state)
                      case NR_STATE_0
                        if (sock_flag(sk, SOCK_DESTROY) ||
                           (sk->sk_state == TCP_LISTEN
                             && sock_flag(sk, SOCK_DEAD)))
                           sock_hold()  // ( !!! )
                           nr_destroy_socket()

To fix the memory leak, let's call sock_hold() only for a listening socket.

Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.

Affected Software

VendorProductVersion RangeStatus
LinuxLinuxa31caf5779ace8fa98b0d454133808e082ee7a1b < d616876256b38ecf9a1a1c7d674192c5346bc69caffected
LinuxLinuxfe9b9e621cebe6b7e83f7e954c70f8bb430520e5 < e07a9c2a850cdebf625e7a1b8171bd23a8554313affected
LinuxLinux7de16d75b20ab13b75a7291f449a1b00090edfea < 5391f9db2cab5ef1cb411be1ab7dbec728078fbaaffected
LinuxLinuxd2d3ab1b1de3302de2c85769121fd4f890e47ceb < 280cf1173726a7059b628c610c71050d5c0b6937affected
LinuxLinux51e394c6f81adbfe7c34d15f58b3d4d44f144acf < a02fd5d775cf9787ee7698c797e20f2fa13d2e2baffected
LinuxLinux409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 < b6ebe4fed73eedeb73f4540f8edc4871945474c8affected
LinuxLinux409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 < d377f5a28332954b19e373d36823e59830ab1712affected
LinuxLinux409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 < 0b9130247f3b6a1122478471ff0e014ea96bb735affected
LinuxLinuxe666990abb2e42dd4ba979b4706280a3664cfae7affected
LinuxLinux4.19.272 < 4.19.317affected
LinuxLinux5.4.231 < 5.4.279affected
LinuxLinux5.10.166 < 5.10.221affected
LinuxLinux5.15.91 < 5.15.162affected
LinuxLinux6.1.9 < 6.1.96affected
LinuxLinux4.14.305 < 4.15affected
LinuxLinux6.2affected
LinuxLinux0 < 6.2unaffected
LinuxLinux4.19.317 <= 4.19.*unaffected
LinuxLinux5.4.279 <= 5.4.*unaffected
LinuxLinux5.10.221 <= 5.10.*unaffected
LinuxLinux5.15.162 <= 5.15.*unaffected
LinuxLinux6.1.96 <= 6.1.*unaffected
LinuxLinux6.6.36 <= 6.6.*unaffected
LinuxLinux6.9.7 <= 6.9.*unaffected
LinuxLinux6.10 <= *unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

Additional References

References