[SRU][J/F][PATCH 0/1] CVE-2024-38602

Hui Wang hui.wang at canonical.com
Fri Sep 20 04:02:11 UTC 2024 

[Impact]

The refcount is unbalanced between ax25_dev_device_up() and
ax25_dev_device_down(), and do some refinement in the
ax25_addr_ax25dev().

The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference
count leak issue of the object "ax25_dev".

Memory leak issue in ax25_addr_ax25dev():

The reference count of the object "ax25_dev" can be increased multiple
times in ax25_addr_ax25dev(). This will cause a memory leak.

Memory leak issues in ax25_dev_device_down():

The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and
then increase the reference count when ax25_dev is added to ax25_dev_list.
As a result, the reference count of ax25_dev is 2. But when the device is
shutting down. The ax25_dev_device_down() drops the reference count once
or twice depending on if we goto unlock_put or not, which will cause
memory leak.

As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer
to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the
issue of ax25_dev_device_down(), increase the reference count of ax25_dev
once in ax25_dev_device_up() and decrease the reference count of ax25_dev
after it is removed from the ax25_dev_list.


[Backport]

This backport deletes 2 ax25_dev_put(ax25_dev) from
ax25_dev_device_down(), that is because a commit is missing:
a968c799eb1d ("ax25: merge repeat codes in ax25_dev_device_down()"),
and the missing commit can't be cleanly cherry-picked into ubuntu
kernel too, it needs to backport more commits, to be simple and to
avoid introducing many unrelevant patches, just backport the CVE
fixing commit here.


[Fix]

Noble:  Already fixed
Jammy:  Backported from mainline v6.10-rc1, see explanation in [Backport]
Focal:  Backported from mainline v6.10-rc1, see explanation in [Backport]
Bionic: Sent to the -esm
Xenial: Sent to the -esm
Trusty: Not affected

[Test Case]

Compile and boot test.


[Where problems could occur]

The change is on net/ax25 protocol, if there is regression, it could
impact ax25 protocol and anywhere in the ax25 stack. But the likely of
regression is very low, the change is straightforward and simple.


Duoming Zhou (1):
  ax25: Fix reference count leak issues of ax25_dev

 net/ax25/ax25_dev.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

-- 
2.34.1

More information about the kernel-team mailing list