CVE-2024-26961: mac802154: fix llsec key resources release in mac802154_llsec_key_del
In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix llsec key resources release in mac802154llseckeydel
mac802154llseckeydel() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llseclookupkey() is traversing the list of keys in parallel with a key deletion:
refcountt: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcountwarnsaturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcountwarnsaturate+0x162/0x2a0 Call Trace: llseclookupkey.isra.0+0x890/0x9e0 mac802154llsecencrypt+0x30c/0x9c0 ieee802154subifstartxmit+0x24/0x1e0 devhardstartxmit+0x13e/0x690 schdirectxmit+0x2ae/0xbc0 devqueuexmit+0x11dd/0x3c20 dgramsendmsg+0x90b/0xd60 syssendto+0x466/0x4c0 x64syssendto+0xe0/0x1c0 dosyscall64+0x45/0xf0 entrySYSCALL64afterhwframe+0x6e/0x76
Also, ieee802154llseckeyentry structures are not freed by mac802154llseckeydel():
unreferenced object 0xffff8880613b6980 (size 64): comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ backtrace: [] kmemcacheallocnode+0x1e2/0x2d0 [] kmalloctrace+0x25/0xc0 [] mac802154llseckeyadd+0xac9/0xcf0 [] ieee802154addllseckey+0x5a/0x80 [] nl802154addllseckey+0x426/0x5b0 [] genlfamilyrcvmsgdoit+0x1fe/0x2f0 [] genlrcvmsg+0x531/0x7d0 [] netlinkrcvskb+0x169/0x440 [] genlrcv+0x28/0x40 [] netlinkunicast+0x53c/0x820 [] netlinksendmsg+0x93b/0xe60 [] syssendmsg+0xac5/0xca0 [] syssendmsg+0x11d/0x1c0 [] syssendmsg+0xfa/0x1d0 [] dosyscall64+0x45/0xf0 [] entrySYSCALL64afterhwframe+0x6e/0x76
Handle the proper resource release in the RCU callback function mac802154llseckeydelrcu().
Note that if llseclookupkey() finds a key, it gets a refcount via llseckeyget() and locally copies key id from keyentry (which is a list element). So it's safe to call llseckeyput() and free the list entry after the RCU grace period elapses.
Found by Linux Verification Center (linuxtesting.org).
Other sources
In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix llsec key resources release in mac802154llseckeydel
mac802154llseckeydel() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llseclookupkey() is traversing the list of keys in parallel with a key deletion:
refcountt: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcountwarnsaturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcountwarnsaturate+0x162/0x2a0 Call Trace: <TASK> llseclookupkey.isra.0+0x890/0x9e0 mac802154llsecencrypt+0x30c/0x9c0 ieee802154subifstartxmit+0x24/0x1e0 devhardstartxmit+0x13e/0x690 schdirectxmit+0x2ae/0xbc0 devqueuexmit+0x11dd/0x3c20 dgramsendmsg+0x90b/0xd60 syssendto+0x466/0x4c0 x64syssendto+0xe0/0x1c0 dosyscall64+0x45/0xf0 entrySYSCALL64afterhwframe+0x6e/0x76
Also, ieee802154llseckeyentry structures are not freed by mac802154llseckeydel():
unreferenced object 0xffff8880613b6980 (size 64): comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ backtrace: [<ffffffff81dcfa62>] kmemcacheallocnode+0x1e2/0x2d0 [<ffffffff81c43865>] kmalloctrace+0x25/0xc0 [<ffffffff88968b09>] mac802154llseckeyadd+0xac9/0xcf0 [<ffffffff8896e41a>] ieee802154addllseckey+0x5a/0x80 [<ffffffff8892adc6>] nl802154addllseckey+0x426/0x5b0 [<ffffffff86ff293e>] genlfamilyrcvmsgdoit+0x1fe/0x2f0 [<ffffffff86ff46d1>] genlrcvmsg+0x531/0x7d0 [<ffffffff86fee7a9>] netlinkrcvskb+0x169/0x440 [<ffffffff86ff1d88>] genlrcv+0x28/0x40 [<ffffffff86fec15c>] netlinkunicast+0x53c/0x820 [<ffffffff86fecd8b>] netlinksendmsg+0x93b/0xe60 [<ffffffff86b91b35>] syssendmsg+0xac5/0xca0 [<ffffffff86b9c3dd>] syssendmsg+0x11d/0x1c0 [<ffffffff86b9c65a>] syssendmsg+0xfa/0x1d0 [<ffffffff88eadbf5>] dosyscall64+0x45/0xf0 [<ffffffff890000ea>] entrySYSCALL64afterhwframe+0x6e/0x76
Handle the proper resource release in the RCU callback function mac802154llseckeydelrcu().
Note that if llseclookupkey() finds a key, it gets a refcount via llseckeyget() and locally copies key id from keyentry (which is a list element). So it's safe to call llseckeyput() and free the list entry after the RCU grace period elapses.
Found by Linux Verification Center (linuxtesting.org).
— NVD
In the Linux kernel, the following vulnerability has been resolved:
mac802154: fix llsec key resources release in mac802154llseckeydel
The Linux kernel CVE team has assigned CVE-2024-26961 to this issue.
Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024050129-CVE-2024-26961-408d@gregkh/T
— Red Hat
Affected Software
Remediation
Event History
Frequently Asked Questions
What is the severity of CVE-2024-26961?
CVE-2024-26961 is categorized as a medium severity vulnerability due to improper resource handling in the Linux kernel.
How do I fix CVE-2024-26961?
To fix CVE-2024-26961, upgrade your Linux kernel to the patched versions: 5.10.215, 5.15.154, 6.1.84, 6.6.24, 6.7.12, 6.8.3, or 6.9.
Which versions of the Linux kernel are affected by CVE-2024-26961?
CVE-2024-26961 affects multiple Linux kernel versions prior to the specified remedies, including versions between 3.16 and 6.9.
What components are impacted by CVE-2024-26961?
CVE-2024-26961 specifically impacts the mac802154 subsystem, which deals with 802.15.4 wireless communication in the Linux kernel.
Is CVE-2024-26961 likely to be exploited?
While there's no public information indicating active exploitation of CVE-2024-26961, it poses potential risks due to improper handling of key resources.