CVE-2024-49982 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

aoe: fix the potential use-after-free problem in more places

For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put() instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs into use-after-free.

Then Nicolai Stange found more places in aoe have potential use-after-free problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe() and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push packet to tx queue. So they should also use dev_hold() to increase the refcnt of skb->dev.

On the other hand, moving dev_put() to tx() causes that the refcnt of skb->dev be reduced to a negative value, because corresponding dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 03/21/2026

The Linux kernel vulnerability CVE-2024-49982 addresses a critical use-after-free condition within the AoE (ATA over Ethernet) subsystem that could potentially lead to system instability or privilege escalation. This issue stems from improper reference counting of network device structures during packet transmission operations. The vulnerability was initially identified and partially addressed in CVE-2023-6270 through commit f98364e92662, which moved the dev_put() call from aoecmd_cfg_pkts() to the tx() function to prevent premature deallocation of network device references. However, subsequent analysis by Nicolai Stange revealed that multiple other functions within the AoE subsystem contained similar flaws where aoenet_xmit() was called without proper device reference management.

The core technical flaw involves the improper handling of reference counting for network device structures when transmitting packets through the AoE driver. Functions such as revalidate(), aoecmd_ata_rw(), resend(), probe(), and aoecmd_cfg_rsp() all utilize aoenet_xmit() to queue packets for transmission but fail to call dev_hold() to increment the reference count of skb->dev before transmission. When the dev_put() call was moved to the tx() function in the previous fix, it created a scenario where the reference count could be decremented below zero in these other functions, leading to use-after-free conditions when the network device structure was subsequently freed while still referenced elsewhere in the code. This represents a classic improper reference counting vulnerability that can result in memory corruption and system crashes.

The operational impact of CVE-2024-49982 extends beyond simple system instability to potentially enable privilege escalation attacks. An attacker who can control network traffic to an affected system could exploit this vulnerability to trigger memory corruption in kernel space, potentially leading to arbitrary code execution with kernel privileges. The vulnerability affects systems running Linux kernels with AoE support, particularly those handling network storage communications where AoE protocol is active. The use-after-free condition could be exploited through carefully crafted network packets sent to the target system, making this a remote attack vector with significant security implications. The vulnerability aligns with CWE-416: Use After Free, which specifically addresses improper handling of memory after it has been freed, and could map to ATT&CK technique T1068: Exploitation for Privilege Escalation when exploited successfully.

The fix for CVE-2024-49982 involves implementing proper reference counting across all functions that utilize aoenet_xmit() for packet transmission. Each affected function must now call dev_hold() to increment the reference count of skb->dev before invoking aoenet_xmit(), ensuring that the network device structure remains valid throughout the transmission process. This approach restores proper reference counting semantics and prevents the scenario where dev_put() in tx() would decrement a reference count that was never properly incremented. The patch ensures that every path through the AoE subsystem that transmits packets maintains appropriate device reference management, preventing the negative reference count issue that could lead to use-after-free conditions. This fix aligns with the principle of proper resource management in kernel space and follows established best practices for reference counting in Linux kernel networking subsystems.

Responsible

Linux

Reservation

10/21/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00259

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!