CVE-2024-26961

2024-05-0100:00:00

ubuntu.com

linux kernel

mac802154

llsec key

use-after-free

rcu rules

resource release

7.6 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.2%

JSON

In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix llsec key resources release in mac802154_llsec_key_del
mac802154_llsec_key_del() can free resources of a key directly without
following the RCU rules for waiting before the end of a grace period. This
may lead to use-after-free in case llsec_lookup_key() is traversing the
list of keys in parallel with a key deletion: refcount_t: addition on 0;
use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25
refcount_warn_saturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000
Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC
(i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP:
0010:refcount_warn_saturate+0x162/0x2a0 Call Trace: <TASK>
llsec_lookup_key.isra.0+0x890/0x9e0 mac802154_llsec_encrypt+0x30c/0x9c0
ieee802154_subif_start_xmit+0x24/0x1e0 dev_hard_start_xmit+0x13e/0x690
sch_direct_xmit+0x2ae/0xbc0 __dev_queue_xmit+0x11dd/0x3c20
dgram_sendmsg+0x90b/0xd60 __sys_sendto+0x466/0x4c0
__x64_sys_sendto+0xe0/0x1c0 do_syscall_64+0x45/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76 Also, ieee802154_llsec_key_entry
structures are not freed by mac802154_llsec_key_del(): unreferenced object
0xffff8880613b6980 (size 64): comm “iwpan”, pid 2176, jiffies 4294761134
(age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00
00 00 00 ad de x…"… 00 00 00 00 00 00 00 00 03 00 cd ab 00 00
00 00 … backtrace: [<ffffffff81dcfa62>]
__kmem_cache_alloc_node+0x1e2/0x2d0 [<ffffffff81c43865>]
kmalloc_trace+0x25/0xc0 [<ffffffff88968b09>]
mac802154_llsec_key_add+0xac9/0xcf0 [<ffffffff8896e41a>]
ieee802154_add_llsec_key+0x5a/0x80 [<ffffffff8892adc6>]
nl802154_add_llsec_key+0x426/0x5b0 [<ffffffff86ff293e>]
genl_family_rcv_msg_doit+0x1fe/0x2f0 [<ffffffff86ff46d1>]
genl_rcv_msg+0x531/0x7d0 [<ffffffff86fee7a9>] netlink_rcv_skb+0x169/0x440
[<ffffffff86ff1d88>] genl_rcv+0x28/0x40 [<ffffffff86fec15c>]
netlink_unicast+0x53c/0x820 [<ffffffff86fecd8b>]
netlink_sendmsg+0x93b/0xe60 [<ffffffff86b91b35>]
____sys_sendmsg+0xac5/0xca0 [<ffffffff86b9c3dd>] ___sys_sendmsg+0x11d/0x1c0
[<ffffffff86b9c65a>] __sys_sendmsg+0xfa/0x1d0 [<ffffffff88eadbf5>]
do_syscall_64+0x45/0xf0 [<ffffffff890000ea>]
entry_SYSCALL_64_after_hwframe+0x6e/0x76 Handle the proper resource release
in the RCU callback function mac802154_llsec_key_del_rcu(). Note that if
llsec_lookup_key() finds a key, it gets a refcount via llsec_key_get() and
locally copies key id from key_entry (which is a list element). So it’s
safe to call llsec_key_put() and free the list entry after the RCU grace
period elapses. Found by Linux Verification Center (linuxtesting.org).

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchlinux< anyUNKNOWN
ubuntu20.04noarchlinux< anyUNKNOWN
ubuntu22.04noarchlinux< anyUNKNOWN
ubuntu23.10noarchlinux< anyUNKNOWN
ubuntu24.04noarchlinux< 6.8.0-35.35UNKNOWN
ubuntu14.04noarchlinux< anyUNKNOWN
ubuntu16.04noarchlinux< anyUNKNOWN
ubuntu18.04noarchlinux-aws< anyUNKNOWN
ubuntu20.04noarchlinux-aws< anyUNKNOWN
ubuntu22.04noarchlinux-aws< anyUNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	linux	< any	UNKNOWN
ubuntu	20.04	noarch	linux	< any	UNKNOWN
ubuntu	22.04	noarch	linux	< any	UNKNOWN
ubuntu	23.10	noarch	linux	< any	UNKNOWN
ubuntu	24.04	noarch	linux	< 6.8.0-35.35	UNKNOWN
ubuntu	14.04	noarch	linux	< any	UNKNOWN
ubuntu	16.04	noarch	linux	< any	UNKNOWN
ubuntu	18.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	20.04	noarch	linux-aws	< any	UNKNOWN
ubuntu	22.04	noarch	linux-aws	< any	UNKNOWN