Use After Free Affecting kernel-devel package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL8-KERNELDEVEL-8584953
- published31 Dec 2024
- disclosed27 Dec 2024
Introduced: 27 Dec 2024
NewCVE-2024-56640 (opens in a new tab)How to fix?
There is no fixed version for RHEL:8 kernel-devel.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-devel package and not the kernel-devel package as distributed by RHEL.
See How to fix? for RHEL:8 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
net/smc: fix LGR and link use-after-free issue
We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe.
refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118
or
refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118
It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock.
e.g.
Calls under socklock | smc_listen_work
lock_sock(sk) | smc_conn_abort smc_conn_free | - smc_conn_free - smcr_link_put | - smcr_link_put (duplicated) release_sock(sk)
So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations.
References
- https://access.redhat.com/security/cve/CVE-2024-56640
- https://git.kernel.org/stable/c/0cf598548a6c36d90681d53c6b77d52363f2f295
- https://git.kernel.org/stable/c/2c7f14ed9c19ec0f149479d1c2842ec1f9bf76d7
- https://git.kernel.org/stable/c/673d606683ac70bc074ca6676b938bff18635226
- https://git.kernel.org/stable/c/6f0ae06a234a78ae137064f2c89135ac078a00eb
- https://git.kernel.org/stable/c/f502a88fdd415647a1f2dc45fac71b9c522a052b