CVE-2024-40910 in Linux
Summary
by MITRE • 07/12/2024
In the Linux kernel, the following vulnerability has been resolved:
ax25: Fix refcount imbalance on inbound connections
When releasing a socket in ax25_release(), we call netdev_put() to decrease the refcount on the associated ax.25 device. However, the execution path for accepting an incoming connection never calls netdev_hold(). This imbalance leads to refcount errors, and ultimately to kernel crashes.
A typical call trace for the above situation will start with one of the following errors:
refcount_t: decrement hit 0; leaking memory. refcount_t: underflow; use-after-free.
And will then have a trace like:
Call Trace: ? show_regs+0x64/0x70 ? __warn+0x83/0x120 ? refcount_warn_saturate+0xb2/0x100 ? report_bug+0x158/0x190 ? prb_read_valid+0x20/0x30 ? handle_bug+0x3e/0x70 ? exc_invalid_op+0x1c/0x70 ? asm_exc_invalid_op+0x1f/0x30 ? refcount_warn_saturate+0xb2/0x100 ? refcount_warn_saturate+0xb2/0x100 ax25_release+0x2ad/0x360 __sock_release+0x35/0xa0 sock_close+0x19/0x20 [...]
On reboot (or any attempt to remove the interface), the kernel gets stuck in an infinite loop:
unregister_netdevice: waiting for ax0 to become free. Usage count = 0
This patch corrects these issues by ensuring that we call netdev_hold() and ax25_dev_hold() for new connections in ax25_accept(). This makes the logic leading to ax25_accept() match the logic for ax25_bind(): in both cases we increment the refcount, which is ultimately decremented in ax25_release().
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/30/2024
The vulnerability described in CVE-2024-40910 resides within the Linux kernel's ax25 subsystem, which implements the Amateur Radio AX.25 protocol for packet radio communications. This protocol is commonly used in amateur radio networks and satellite communications where reliable data transmission over radio links is essential. The flaw manifests as a reference count imbalance during socket lifecycle management, specifically when handling inbound connections through the ax25_accept() function. The issue stems from an inconsistent approach to reference counting between different code paths within the ax25 subsystem, creating a potential for kernel memory corruption and system instability.
The technical root cause involves the improper management of network device reference counts when accepting incoming connections. During socket release operations, the ax25_release() function correctly calls netdev_put() to decrement the reference count on the associated ax.25 device. However, when accepting new inbound connections, the code path fails to call netdev_hold() to increment the reference count, creating an imbalance. This discrepancy means that the reference count never reaches zero in the proper manner, leading to what industry standards categorize as a CWE-1321: Improper Synchronization of Shared Data. The improper reference counting creates a use-after-free condition where memory that should be freed is still being accessed, ultimately resulting in kernel crashes.
The operational impact of this vulnerability is severe, as it can cause the kernel to become unresponsive or crash entirely when attempting to remove network interfaces or reboot the system. The call trace demonstrates the classic symptoms of reference count corruption with messages indicating "refcount_t: decrement hit 0; leaking memory" or "refcount_t: underflow; use-after-free" which are standard indicators of memory management errors. The system can become trapped in an infinite loop during interface removal operations, displaying the message "unregister_netdevice: waiting for ax0 to become free. Usage count = 0" which represents a deadlock condition where the kernel cannot properly release network device resources. This vulnerability affects systems running Linux kernel versions where the ax25 protocol implementation is active, particularly those supporting amateur radio communications or satellite networks.
The mitigation strategy involves correcting the reference counting logic in the ax25_accept() function to ensure consistency with the ax25_bind() function's approach. The patch implements the fix by calling netdev_hold() and ax25_dev_hold() for new connections, thereby ensuring that reference counts are properly incremented and decremented throughout the socket lifecycle. This approach aligns with the ATT&CK framework's defensive techniques related to system hardening and memory management protection. The fix ensures that every path leading to ax25_release() properly accounts for the reference count, preventing the use-after-free conditions that could be exploited by malicious actors to cause denial of service or potentially escalate privileges. System administrators should prioritize applying this kernel update to protect against potential exploitation, particularly in environments where amateur radio or satellite communication systems are operational. The vulnerability represents a critical security issue that directly impacts kernel stability and system availability, making it essential for all affected systems to receive the patched kernel version.