CVE-2024-26961

CVE Details

Release Date:

2024-05-01

Description

In the Linux kernel, the following vulnerability has been resolved:\nmac802154: fix llsec key resources release in mac802154_llsec_key_del\nmac802154_llsec_key_del() can free resources of a key directly without\nfollowing the RCU rules for waiting before the end of a grace period. This\nmay lead to use-after-free in case llsec_lookup_key() is traversing the\nlist of keys in parallel with a key deletion:\nrefcount_t: addition on 0; use-after-free.\nWARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcount_warn_saturate+0x162/0x2a0\nModules linked in:\nCPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014\nRIP: 0010:refcount_warn_saturate+0x162/0x2a0\nCall Trace:\n\nllsec_lookup_key.isra.0+0x890/0x9e0\nmac802154_llsec_encrypt+0x30c/0x9c0\nieee802154_subif_start_xmit+0x24/0x1e0\ndev_hard_start_xmit+0x13e/0x690\nsch_direct_xmit+0x2ae/0xbc0\n__dev_queue_xmit+0x11dd/0x3c20\ndgram_sendmsg+0x90b/0xd60\n__sys_sendto+0x466/0x4c0\n__x64_sys_sendto+0xe0/0x1c0\ndo_syscall_64+0x45/0xf0\nentry_SYSCALL_64_after_hwframe+0x6e/0x76\nAlso, ieee802154_llsec_key_entry structures are not freed by\nmac802154_llsec_key_del():\nunreferenced object 0xffff8880613b6980 (size 64):\ncomm 'iwpan', pid 2176, jiffies 4294761134 (age 60.475s)\nhex dump (first 32 bytes):\n78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x.......'.......\n00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................\nbacktrace:\n[] __kmem_cache_alloc_node+0x1e2/0x2d0\n[] kmalloc_trace+0x25/0xc0\n[] mac802154_llsec_key_add+0xac9/0xcf0\n[] ieee802154_add_llsec_key+0x5a/0x80\n[] nl802154_add_llsec_key+0x426/0x5b0\n[] genl_family_rcv_msg_doit+0x1fe/0x2f0\n[] genl_rcv_msg+0x531/0x7d0\n[] netlink_rcv_skb+0x169/0x440\n[] genl_rcv+0x28/0x40\n[] netlink_unicast+0x53c/0x820\n[] netlink_sendmsg+0x93b/0xe60\n[] ____sys_sendmsg+0xac5/0xca0\n[] ___sys_sendmsg+0x11d/0x1c0\n[] __sys_sendmsg+0xfa/0x1d0\n[] do_syscall_64+0x45/0xf0\n[] entry_SYSCALL_64_after_hwframe+0x6e/0x76\nHandle the proper resource release in the RCU callback function\nmac802154_llsec_key_del_rcu().\nNote that if llsec_lookup_key() finds a key, it gets a refcount via\nllsec_key_get() and locally copies key id from key_entry (which is a\nlist element). So it's safe to call llsec_key_put() and free the list\nentry after the RCU grace period elapses.\nFound by Linux Verification Center (linuxtesting.org).

See more information about CVE-2024-26961 from MITRE CVE dictionary and NIST NVD

CVSS Scoring

NOTE: The following CVSS v3.1 metrics and score provided are preliminary and subject to review.

Base Score:	5.5	CVSS Vector:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector:	Local network	Attack Complexity:	Low
Privileges Required:	Low	User Interaction:	None
Scope:	Unchanged	Confidentiality Impact:	None
Integrity Impact:	None	Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 8 (kernel)	ELSA-2024-5101	2024-08-08
Oracle Linux version 9 (kernel)	ELSA-2024-8617	2024-10-30