Linux Kernel AX25 Refcount Leak Vulnerability

A refcount leak vulnerability has been identified in the Linux kernel's AX25 implementation. When an AX25 device is bound to a socket using the SO_BINDTODEVICE socket option, the reference count is not properly managed, leading to a memory leak. This issue arises because the reference counts are only incremented when the device is bound through the ax25_bind() function, not when the SO_BINDTODEVICE option is used. The vulnerability was reported by Syzkaller, which detected the refcount decrement operation hitting zero, indicating a leak of memory.

Impact

Exploitation of this vulnerability causes a memory leak by improperly managing the reference count of AX25 devices bound to sockets, leading to increased memory usage.

Reproduction

To reproduce this vulnerability, bind an AX25 device to a socket using the SO_BINDTODEVICE socket option. The reference count will not be properly incremented, causing a leak when the socket is closed. This can be observed by monitoring the reference count of the device, which will show a decrement operation hitting zero, indicating a leak.

Remediation

The vulnerability can be addressed by fixing the implementation of the ax25_setsockopt() function to correctly increment the reference counts for devices bound with the SO_BINDTODEVICE option and to decrement the counts for any previously bound devices.