CVE-2024-56640: net/smc: fix LGR and link use-after-free issue
First published: Fri Dec 27 2024(Updated: )
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations.
Credit: 416baaa9-dc9f-4396-8d5f-8c081fb06d67
| Affected Software | Affected Version | How to fix |
|---|---|---|
| >=4.18<5.15.174 | ||
| >=5.16<6.1.120 | ||
| >=6.2<6.6.66 | ||
| >=6.7<6.12.5 | ||
| =6.13-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b
- https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295
- https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226
- https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb
- https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7
Frequently Asked Questions
What is the severity of CVE-2024-56640?
CVE-2024-56640 is considered a critical vulnerability due to the potential for a use-after-free condition leading to unsafe resource access.
How do I fix CVE-2024-56640?
To fix CVE-2024-56640, you should update your Linux kernel to a version that includes the patch for this vulnerability.
Which versions of the Linux kernel are affected by CVE-2024-56640?
CVE-2024-56640 affects Linux kernel versions between 4.18 and 5.15.174, 5.16 and 6.1.120, 6.2 and 6.6.66, 6.7 and 6.12.5, and specifically 6.13-rc1.
What impact does CVE-2024-56640 have on system security?
The use-after-free issue in CVE-2024-56640 can lead to unauthorized access to system resources, potentially allowing attackers to execute arbitrary code.
Is CVE-2024-56640 likely to be exploited in the wild?
Given the severity and nature of CVE-2024-56640, it is likely that it could be targeted by attackers if not properly mitigated.
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- agent/remedy
- agent/severity
- agent/source
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- agent/event
- vendor/linux
- canonical/linux kernel
- version/linux kernel/4.18
- version/linux kernel/5.16
- version/linux kernel/6.2
- version/linux kernel/6.7
- version/linux kernel/6.13-rc1