CVE-2024-26961

In the Linux kernel, the following vulnerability has been resolved:

mac802154: fix llsec key resources release in mac802154llseckey_del

mac802154llseckeydel() can free resources of a key directly without following the RCU rules for waiting before the end of a grace period. This may lead to use-after-free in case llseclookup_key() is traversing the list of keys in parallel with a key deletion:

refcountt: addition on 0; use-after-free. WARNING: CPU: 4 PID: 16000 at lib/refcount.c:25 refcountwarnsaturate+0x162/0x2a0 Modules linked in: CPU: 4 PID: 16000 Comm: wpan-ping Not tainted 6.7.0 #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 RIP: 0010:refcountwarnsaturate+0x162/0x2a0 Call Trace: <TASK> llseclookupkey.isra.0+0x890/0x9e0 mac802154llsecencrypt+0x30c/0x9c0 ieee802154subifstartxmit+0x24/0x1e0 devhardstartxmit+0x13e/0x690 schdirectxmit+0x2ae/0xbc0 _devqueuexmit+0x11dd/0x3c20 dgramsendmsg+0x90b/0xd60 _syssendto+0x466/0x4c0 _x64syssendto+0xe0/0x1c0 dosyscall64+0x45/0xf0 entrySYSCALL64afterhwframe+0x6e/0x76

Also, ieee802154llseckeyentry structures are not freed by mac802154llseckeydel():

unreferenced object 0xffff8880613b6980 (size 64): comm "iwpan", pid 2176, jiffies 4294761134 (age 60.475s) hex dump (first 32 bytes): 78 0d 8f 18 80 88 ff ff 22 01 00 00 00 00 ad de x......."....... 00 00 00 00 00 00 00 00 03 00 cd ab 00 00 00 00 ................ backtrace: [<ffffffff81dcfa62>] kmemcacheallocnode+0x1e2/0x2d0 [<ffffffff81c43865>] kmalloctrace+0x25/0xc0 [<ffffffff88968b09>] mac802154llseckeyadd+0xac9/0xcf0 [<ffffffff8896e41a>] ieee802154addllseckey+0x5a/0x80 [<ffffffff8892adc6>] nl802154addllseckey+0x426/0x5b0 [<ffffffff86ff293e>] genlfamilyrcvmsgdoit+0x1fe/0x2f0 [<ffffffff86ff46d1>] genlrcvmsg+0x531/0x7d0 [<ffffffff86fee7a9>] netlinkrcvskb+0x169/0x440 [<ffffffff86ff1d88>] genlrcv+0x28/0x40 [<ffffffff86fec15c>] netlinkunicast+0x53c/0x820 [<ffffffff86fecd8b>] netlinksendmsg+0x93b/0xe60 [<ffffffff86b91b35>] syssendmsg+0xac5/0xca0 [<ffffffff86b9c3dd>] _syssendmsg+0x11d/0x1c0 [<ffffffff86b9c65a>] _syssendmsg+0xfa/0x1d0 [<ffffffff88eadbf5>] dosyscall64+0x45/0xf0 [<ffffffff890000ea>] entrySYSCALL64afterhwframe+0x6e/0x76

Handle the proper resource release in the RCU callback function mac802154llseckeydelrcu().

Note that if llseclookupkey() finds a key, it gets a refcount via llseckeyget() and locally copies key id from keyentry (which is a list element). So it's safe to call llseckey_put() and free the list entry after the RCU grace period elapses.

Found by Linux Verification Center (linuxtesting.org).