In the Linux kernel, the following vulnerability has been resolved:
netrom: Fix a memory leak in nr_heartbeat_expiry()
syzbot reported a memory leak in nr_create() 0.
Commit 409db27e3a2e (“netrom: Fix use-after-free of a listening socket.”)
added sock_hold() to the nr_heartbeat_expiry() function, where
a) a socket has a SOCK_DESTROY flag or
b) a listening socket has a SOCK_DEAD flag.
But in the case “a,” when the SOCK_DESTROY flag is set, the file descriptor
has already been closed and the nr_release() function has been called.
So it makes no sense to hold the reference count because no one will
call another nr_destroy_socket() and put it as in the case “b.”
nr_connect
nr_establish_data_link
nr_start_heartbeat
nr_release
switch (nr->state)
case NR_STATE_3
nr->state = NR_STATE_2
sock_set_flag(sk, SOCK_DESTROY);
nr_rx_frame
nr_process_rx_frame
switch (nr->state)
case NR_STATE_2
nr_state2_machine()
nr_disconnect()
nr_sk(sk)->state = NR_STATE_0
sock_set_flag(sk, SOCK_DEAD)
nr_heartbeat_expiry
switch (nr->state)
case NR_STATE_0
if (sock_flag(sk, SOCK_DESTROY) ||
(sk->sk_state == TCP_LISTEN
&& sock_flag(sk, SOCK_DEAD)))
sock_hold() // ( !!! )
nr_destroy_socket()
To fix the memory leak, let’s call sock_hold() only for a listening socket.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with Syzkaller.
[
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "unaffected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/netrom/nr_timer.c"
],
"versions": [
{
"version": "a31caf5779ac",
"lessThan": "d616876256b3",
"status": "affected",
"versionType": "git"
},
{
"version": "fe9b9e621ceb",
"lessThan": "e07a9c2a850c",
"status": "affected",
"versionType": "git"
},
{
"version": "7de16d75b20a",
"lessThan": "5391f9db2cab",
"status": "affected",
"versionType": "git"
},
{
"version": "d2d3ab1b1de3",
"lessThan": "280cf1173726",
"status": "affected",
"versionType": "git"
},
{
"version": "51e394c6f81a",
"lessThan": "a02fd5d775cf",
"status": "affected",
"versionType": "git"
},
{
"version": "409db27e3a2e",
"lessThan": "b6ebe4fed73e",
"status": "affected",
"versionType": "git"
},
{
"version": "409db27e3a2e",
"lessThan": "d377f5a28332",
"status": "affected",
"versionType": "git"
},
{
"version": "409db27e3a2e",
"lessThan": "0b9130247f3b",
"status": "affected",
"versionType": "git"
}
]
},
{
"product": "Linux",
"vendor": "Linux",
"defaultStatus": "affected",
"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
"programFiles": [
"net/netrom/nr_timer.c"
],
"versions": [
{
"version": "6.2",
"status": "affected"
},
{
"version": "0",
"lessThan": "6.2",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "4.19.317",
"lessThanOrEqual": "4.19.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.4.279",
"lessThanOrEqual": "5.4.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.10.221",
"lessThanOrEqual": "5.10.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "5.15.162",
"lessThanOrEqual": "5.15.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.1.96",
"lessThanOrEqual": "6.1.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.6.36",
"lessThanOrEqual": "6.6.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.9.7",
"lessThanOrEqual": "6.9.*",
"status": "unaffected",
"versionType": "custom"
},
{
"version": "6.10",
"lessThanOrEqual": "*",
"status": "unaffected",
"versionType": "original_commit_for_fix"
}
]
}
]
git.kernel.org/stable/c/0b9130247f3b6a1122478471ff0e014ea96bb735
git.kernel.org/stable/c/280cf1173726a7059b628c610c71050d5c0b6937
git.kernel.org/stable/c/5391f9db2cab5ef1cb411be1ab7dbec728078fba
git.kernel.org/stable/c/a02fd5d775cf9787ee7698c797e20f2fa13d2e2b
git.kernel.org/stable/c/b6ebe4fed73eedeb73f4540f8edc4871945474c8
git.kernel.org/stable/c/d377f5a28332954b19e373d36823e59830ab1712
git.kernel.org/stable/c/d616876256b38ecf9a1a1c7d674192c5346bc69c
git.kernel.org/stable/c/e07a9c2a850cdebf625e7a1b8171bd23a8554313