CVE-2020-25670: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2020-25670) was discovered in the Linux Kernel's NFC LLCP protocol implementation where a refcount leak in llcpsockbind() could cause use-after-free issues. The vulnerability affects Linux Kernel versions prior to 5.11.4 and was discovered by kiyin (尹亮) of TenCent (Openwall List, NVD).

The vulnerability exists in the llcpsockbind() function where nfcllcplocalget() is called to increase the refcount of local, but the refcount is not properly decreased in failure paths. If nfcllcpgetsdpssap returns LLCPSAPMAX, only llcpsock->servicename gets freed while nothing is done to local, leaving the refcount increased. This allows calling llcpsock_bind() multiple times to keep increasing the refcount of local. The CVSS v3.1 base score is 7.8 (HIGH) with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When the refcount of local reaches 0x80000000, it can lead to a system panic if the system handles the refcount exception. If not handled, the counter will overflow to 0xFFFFFFFF and then cycle through 0 and 1. If nfcllcplocal_put is called when the counter is 0, it will free the local object leading to use-after-free conditions that could enable privilege escalation (Openwall List).

The vulnerability has been fixed in Linux kernel version 5.11.4 and backported to various distributions. Debian has released fixes in versions 4.19.194-1~deb9u1 and 4.9.272-1 (Debian LTS). Fedora has addressed it in kernel versions 5.11.14-100.fc32, 5.11.14-200.fc33, and 5.11.14-300.fc34 (Fedora Update).

NetApp has issued an advisory (NTAP-20210702-0008) acknowledging the impact on multiple NetApp products incorporating the Linux Kernel. They have provided patches for affected products and moved some products to Won't Fix status (NetApp Advisory).