CVE-2024-56640: Vulnerability in Linux Linux

Severity: highType: vulnerabilityCVE-2024-56640

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix LGR and link use-after-free issue We encountered a LGR/link use-after-free issue, which manifested as the LGR/link refcnt reaching 0 early and entering the clear process, making resource access unsafe. refcount_t: addition on 0; use-after-free. WARNING: CPU: 14 PID: 107447 at lib/refcount.c:25 refcount_warn_saturate+0x9c/0x140 Workqueue: events smc_lgr_terminate_work [smc] Call trace: refcount_warn_saturate+0x9c/0x140 __smc_lgr_terminate.part.45+0x2a8/0x370 [smc] smc_lgr_terminate_work+0x28/0x30 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 or refcount_t: underflow; use-after-free. WARNING: CPU: 6 PID: 93140 at lib/refcount.c:28 refcount_warn_saturate+0xf0/0x140 Workqueue: smc_hs_wq smc_listen_work [smc] Call trace: refcount_warn_saturate+0xf0/0x140 smcr_link_put+0x1cc/0x1d8 [smc] smc_conn_free+0x110/0x1b0 [smc] smc_conn_abort+0x50/0x60 [smc] smc_listen_find_device+0x75c/0x790 [smc] smc_listen_work+0x368/0x8a0 [smc] process_one_work+0x1b8/0x420 worker_thread+0x158/0x510 kthread+0x114/0x118 It is caused by repeated release of LGR/link refcnt. One suspect is that smc_conn_free() is called repeatedly because some smc_conn_free() from server listening path are not protected by sock lock. e.g. Calls under socklock | smc_listen_work ------------------------------------------------------- lock_sock(sk) | smc_conn_abort smc_conn_free | \- smc_conn_free \- smcr_link_put | \- smcr_link_put (duplicated) release_sock(sk) So here add sock lock protection in smc_listen_work() path, making it exclusive with other connection operations.

AI Analysis

Technical Summary

CVE-2024-56640 is a high-severity use-after-free vulnerability in the Linux kernel's SMC (Shared Memory Communications) subsystem, specifically within the handling of LGR (Logical Group) and link reference counting. The flaw arises due to premature decrementing of the reference count (refcount) for LGR/link objects, causing the refcount to reach zero earlier than expected and triggering resource cleanup while references are still in use. This leads to unsafe access to freed memory, resulting in use-after-free conditions. The root cause is identified as repeated release of the LGR/link refcount, particularly because some calls to smc_conn_free() in the server listening path are not properly synchronized with socket locks, allowing concurrent operations to cause double frees or underflows of the reference count. The vulnerability manifests as kernel warnings about refcount underflow or addition on zero, with call traces showing involvement of smc_lgr_terminate_work, smc_listen_work, and related functions. The fix involves adding sock lock protection in the smc_listen_work() path to serialize connection operations and prevent concurrent refcount manipulation. This vulnerability is tracked under CWE-416 (Use After Free) and has a CVSS 3.1 score of 7.8, indicating high severity with impacts on confidentiality, integrity, and availability. Exploitation requires local privileges (AV:L) and low complexity (AC:L) with low privileges (PR:L) but no user interaction (UI:N). No known exploits are currently reported in the wild. The affected Linux kernel versions include the commit 3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 and likely related versions containing the vulnerable SMC code. This vulnerability could allow a local attacker to cause kernel crashes, escalate privileges, or execute arbitrary code in kernel context by exploiting the use-after-free condition in the SMC networking stack.

Potential Impact

For European organizations, this vulnerability poses a significant risk especially for those running Linux servers or infrastructure that utilize the SMC protocol, commonly found in high-performance computing, data centers, and enterprise environments. Successful exploitation could lead to kernel crashes causing denial of service, or privilege escalation enabling attackers to gain root access, compromising system confidentiality and integrity. This could disrupt critical services, impact data security, and lead to regulatory compliance issues under GDPR if sensitive data is exposed or systems are compromised. The local attack vector means that attackers need some level of access already, but this could be leveraged in multi-tenant environments, shared hosting, or where insider threats exist. The lack of user interaction requirement facilitates automated exploitation once local access is obtained. Given the widespread use of Linux in European public sector, financial institutions, and technology companies, the vulnerability could have broad operational and security implications if unpatched.

Mitigation Recommendations

European organizations should prioritize applying the official Linux kernel patches that address CVE-2024-56640 as soon as they become available. Until patches are deployed, organizations should restrict local access to trusted users only, enforce strict access controls on systems running vulnerable kernel versions, and monitor for unusual kernel warnings or crashes related to refcount underflows in system logs. Employ kernel hardening techniques such as Kernel Address Space Layout Randomization (KASLR), and enable kernel lockdown features where possible to reduce exploitation risk. Additionally, review and tighten socket and network subsystem permissions to prevent unauthorized invocation of vulnerable SMC paths. For environments using containerization or virtualization, ensure that guest kernels are updated and that host systems are protected against lateral movement. Regularly audit and update Linux distributions to incorporate security fixes promptly. Finally, implement comprehensive endpoint detection and response (EDR) solutions capable of detecting anomalous kernel behavior indicative of exploitation attempts.