APPLIED: [SRU][J/F][PATCH 0/1] CVE-2024-38602

Stefan Bader stefan.bader at canonical.com
Wed Sep 25 10:55:33 UTC 2024 

On 20.09.24 06:02, Hui Wang wrote:
> [Impact]
> 
> The refcount is unbalanced between ax25_dev_device_up() and
> ax25_dev_device_down(), and do some refinement in the
> ax25_addr_ax25dev().
> 
> The ax25_addr_ax25dev() and ax25_dev_device_down() exist a reference
> count leak issue of the object "ax25_dev".
> 
> Memory leak issue in ax25_addr_ax25dev():
> 
> The reference count of the object "ax25_dev" can be increased multiple
> times in ax25_addr_ax25dev(). This will cause a memory leak.
> 
> Memory leak issues in ax25_dev_device_down():
> 
> The reference count of ax25_dev is set to 1 in ax25_dev_device_up() and
> then increase the reference count when ax25_dev is added to ax25_dev_list.
> As a result, the reference count of ax25_dev is 2. But when the device is
> shutting down. The ax25_dev_device_down() drops the reference count once
> or twice depending on if we goto unlock_put or not, which will cause
> memory leak.
> 
> As for the issue of ax25_addr_ax25dev(), it is impossible for one pointer
> to be on a list twice. So add a break in ax25_addr_ax25dev(). As for the
> issue of ax25_dev_device_down(), increase the reference count of ax25_dev
> once in ax25_dev_device_up() and decrease the reference count of ax25_dev
> after it is removed from the ax25_dev_list.
> 
> 
> [Backport]
> 
> This backport deletes 2 ax25_dev_put(ax25_dev) from
> ax25_dev_device_down(), that is because a commit is missing:
> a968c799eb1d ("ax25: merge repeat codes in ax25_dev_device_down()"),
> and the missing commit can't be cleanly cherry-picked into ubuntu
> kernel too, it needs to backport more commits, to be simple and to
> avoid introducing many unrelevant patches, just backport the CVE
> fixing commit here.
> 
> 
> [Fix]
> 
> Noble:  Already fixed
> Jammy:  Backported from mainline v6.10-rc1, see explanation in [Backport]
> Focal:  Backported from mainline v6.10-rc1, see explanation in [Backport]
> Bionic: Sent to the -esm
> Xenial: Sent to the -esm
> Trusty: Not affected
> 
> [Test Case]
> 
> Compile and boot test.
> 
> 
> [Where problems could occur]
> 
> The change is on net/ax25 protocol, if there is regression, it could
> impact ax25 protocol and anywhere in the ax25 stack. But the likely of
> regression is very low, the change is straightforward and simple.
> 
> 
> Duoming Zhou (1):
>    ax25: Fix reference count leak issues of ax25_dev
> 
>   net/ax25/ax25_dev.c | 4 +---
>   1 file changed, 1 insertion(+), 3 deletions(-)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/7f59465d/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240925/7f59465d/attachment-0001.sig>

More information about the kernel-team mailing list