In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix llsec key resources release in mac802154_llsec_key_del
mac802154_llsec_key_del() can free resources of a key directly without
following the RCU rules for waiting before the end of a grace period. This
may lead to use-after-free in case llsec_lookup_key() is traversing the
list of keys in parallel with a key deletion:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0
Modules linked in:
CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
RIP: 0010:refcount_warn_saturate+0x162/0x2a0
Call Trace:
<TASK>
llsec_lookup_key.isra.0+0x890/0x9e0
mac802154_llsec_encrypt+0x30c/0x9c0
ieee802154_subif_start_xmit+0x24/0x1e0
dev_hard_start_xmit+0x13e/0x690
sch_direct_xmit+0x2ae/0xbc0
__dev_queue_xmit+0x11dd/0x3c20
dgram_sendmsg+0x90b/0xd60
__sys_sendto+0x466/0x4c0
__x64_sys_sendto+0xe0/0x1c0
do_syscall_64+0x45/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
Also, ieee802154_llsec_key_entry structures are not freed by
mac802154_llsec_key_del():
unreferenced object 0xffff8880613b6980 (size 64):
comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s)
hex dump (first 32 bytes):
78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......".......
00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................
backtrace:
[<ffffffff81dcfa62>] __kmem_cache_alloc_node+0x1e2/0x2d0
[<ffffffff81c43865>] kmalloc_trace+0x25/0xc0
[<ffffffff88968b09>] mac802154_llsec_key_add+0xac9/0xcf0
[<ffffffff8896e41a>] ieee802154_add_llsec_key+0x5a/0x80
[<ffffffff8892adc6>] nl802154_add_llsec_key+0x426/0x5b0
[<ffffffff86ff293e>] genl_family_rcv_msg_doit+0x1fe/0x2f0
[<ffffffff86ff46d1>] genl_rcv_msg+0x531/0x7d0
[<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440
[<ffffffff86ff1d88>] genl_rcv+0x28/0x40
[<ffffffff86fec15c>] netlink_unicast+0x53c/0x820
[<ffffffff86fecd8b>] netlink_sendmsg+0x93b/0xe60
[<ffffffff86b91b35>] ____sys_sendmsg+0xac5/0xca0
[<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0
[<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0
[<ffffffff88eadbf5>] do_syscall_64+0x45/0xf0
[<ffffffff890000ea>] entry_SYSCALL_64_after_hwframe+0x6e/0x76
Handle the proper resource release in the RCU callback function
mac802154_llsec_key_del_rcu().
Note that if llsec_lookup_key() finds a key, it gets a refcount via
llsec_key_get() and locally copies key id from key_entry (which is a
list element). So it's safe to call llsec_key_put() and free the list
entry after the RCU grace period elapses.
Found by Linux Verification Center (linuxtesting.org).
Metrics
Affected Vendors & Products
References
History
Fri, 22 Nov 2024 12:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Tue, 05 Nov 2024 10:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Wed, 30 Oct 2024 15:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat rhel Eus
|
|
CPEs | cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.2::nfv cpe:/o:redhat:enterprise_linux:9 |
|
Vendors & Products |
Redhat rhel Eus
|
Fri, 04 Oct 2024 15:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-459 |
Thu, 08 Aug 2024 23:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat enterprise Linux
|
|
CPEs | cpe:/a:redhat:enterprise_linux:8::nfv cpe:/o:redhat:enterprise_linux:8 |
|
Vendors & Products |
Redhat enterprise Linux
|
Wed, 07 Aug 2024 10:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Redhat
Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus |
|
CPEs | cpe:/o:redhat:rhel_aus:8.6 cpe:/o:redhat:rhel_e4s:8.6 cpe:/o:redhat:rhel_tus:8.6 |
|
Vendors & Products |
Redhat
Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus |
MITRE
Status: PUBLISHED
Assigner: Linux
Published: 2024-05-01T05:19:16.361Z
Updated: 2024-11-05T09:18:58.257Z
Reserved: 2024-02-19T14:20:24.201Z
Link: CVE-2024-26961
Vulnrichment
Updated: 2024-08-02T00:21:05.779Z
NVD
Status : Awaiting Analysis
Published: 2024-05-01T06:15:12.437
Modified: 2024-11-21T09:03:29.877
Link: CVE-2024-26961
Redhat