cve/published/2022/CVE-2022-48910.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2022-48910: net: ipv6: ensure we call ipv6_mc_down() at most once

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 net: ipv6: ensure we call ipv6_mc_down() at most once

 There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:
 either the network device is actually going down, or IPv6 was disabled
 on the interface.

 If either of them stays down while the other is toggled, we repeatedly
 call the code for NETDEV_DOWN, including ipv6_mc_down(), while never
 calling the corresponding ipv6_mc_up() in between. This will cause a
 new entry in idev->mc_tomb to be allocated for each multicast group
 the interface is subscribed to, which in turn leaks one struct ifmcaddr6
 per nontrivial multicast group the interface is subscribed to.

 The following reproducer will leak at least $n objects:

 ip addr add ff2e::4242/32 dev eth0 autojoin
 sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
 for i in $(seq 1 $n); do
 	ip link set up eth0; ip link set down eth0
 done

 Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the
 sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)
 can also be used to create a nontrivial idev->mc_list, which will the
 leak objects with the right up-down-sequence.

 Based on both sources for NETDEV_DOWN events the interface IPv6 state
 should be considered:

  - not ready if the network interface is not ready OR IPv6 is disabled
    for it
  - ready if the network interface is ready AND IPv6 is enabled for it

 The functions ipv6_mc_up() and ipv6_down() should only be run when this
 state changes.

 Implement this by remembering when the IPv6 state is ready, and only
 run ipv6_mc_down() if it actually changed from ready to not ready.

 The other direction (not ready -> ready) already works correctly, as:

  - the interface notification triggered codepath for NETDEV_UP /
    NETDEV_CHANGE returns early if ipv6 is disabled, and
  - the disable_ipv6=0 triggered codepath skips fully initializing the
    interface as long as addrconf_link_ready(dev) returns false
  - calling ipv6_mc_up() repeatedly does not leak anything

 The Linux kernel CVE team has assigned CVE-2022-48910 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 4.9.313 with commit 9a8736b2da28b24f01707f592ff059b9f90a058c
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 4.14.278 with commit c71bf3229f9e9dd60ba02f5a5be02066edf57012
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 4.19.323 with commit 24888915364cfa410de62d8abb5df95c3b67455d
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.4.193 with commit 9588ac2eddc2f223ebcebf6e9f5caed84d32922b
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.10.104 with commit f4c63b24dea9cc2043ff845dcca9aaf8109ea38a
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.15.27 with commit b11781515208dd31fbcd0b664078dce5dc44523f
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.16.13 with commit 72124e65a70b84e6303a5cd21b0ac1f27d7d61a4
 	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.17 with commit 9995b408f17ff8c7f11bc725c8aa225ba3a63b1c

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2022-48910
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	net/ipv6/addrconf.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9a8736b2da28b24f01707f592ff059b9f90a058c
 	https://git.kernel.org/stable/c/c71bf3229f9e9dd60ba02f5a5be02066edf57012
 	https://git.kernel.org/stable/c/24888915364cfa410de62d8abb5df95c3b67455d
 	https://git.kernel.org/stable/c/9588ac2eddc2f223ebcebf6e9f5caed84d32922b
 	https://git.kernel.org/stable/c/f4c63b24dea9cc2043ff845dcca9aaf8109ea38a
 	https://git.kernel.org/stable/c/b11781515208dd31fbcd0b664078dce5dc44523f
 	https://git.kernel.org/stable/c/72124e65a70b84e6303a5cd21b0ac1f27d7d61a4
 	https://git.kernel.org/stable/c/9995b408f17ff8c7f11bc725c8aa225ba3a63b1c
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2022-48910: net: ipv6: ensure we call ipv6_mc_down() at most once

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	net: ipv6: ensure we call ipv6_mc_down() at most once

	There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:
	either the network device is actually going down, or IPv6 was disabled
	on the interface.

	If either of them stays down while the other is toggled, we repeatedly
	call the code for NETDEV_DOWN, including ipv6_mc_down(), while never
	calling the corresponding ipv6_mc_up() in between. This will cause a
	new entry in idev->mc_tomb to be allocated for each multicast group
	the interface is subscribed to, which in turn leaks one struct ifmcaddr6
	per nontrivial multicast group the interface is subscribed to.

	The following reproducer will leak at least $n objects:

	ip addr add ff2e::4242/32 dev eth0 autojoin
	sysctl -w net.ipv6.conf.eth0.disable_ipv6=1
	for i in $(seq 1 $n); do
	ip link set up eth0; ip link set down eth0
	done

	Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the
	sysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)
	can also be used to create a nontrivial idev->mc_list, which will the
	leak objects with the right up-down-sequence.

	Based on both sources for NETDEV_DOWN events the interface IPv6 state
	should be considered:

	- not ready if the network interface is not ready OR IPv6 is disabled
	for it
	- ready if the network interface is ready AND IPv6 is enabled for it

	The functions ipv6_mc_up() and ipv6_down() should only be run when this
	state changes.

	Implement this by remembering when the IPv6 state is ready, and only
	run ipv6_mc_down() if it actually changed from ready to not ready.

	The other direction (not ready -> ready) already works correctly, as:

	- the interface notification triggered codepath for NETDEV_UP /
	NETDEV_CHANGE returns early if ipv6 is disabled, and
	- the disable_ipv6=0 triggered codepath skips fully initializing the
	interface as long as addrconf_link_ready(dev) returns false
	- calling ipv6_mc_up() repeatedly does not leak anything

	The Linux kernel CVE team has assigned CVE-2022-48910 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 4.9.313 with commit 9a8736b2da28b24f01707f592ff059b9f90a058c
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 4.14.278 with commit c71bf3229f9e9dd60ba02f5a5be02066edf57012
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 4.19.323 with commit 24888915364cfa410de62d8abb5df95c3b67455d
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.4.193 with commit 9588ac2eddc2f223ebcebf6e9f5caed84d32922b
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.10.104 with commit f4c63b24dea9cc2043ff845dcca9aaf8109ea38a
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.15.27 with commit b11781515208dd31fbcd0b664078dce5dc44523f
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.16.13 with commit 72124e65a70b84e6303a5cd21b0ac1f27d7d61a4
	Issue introduced in 3.18 with commit 3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 and fixed in 5.17 with commit 9995b408f17ff8c7f11bc725c8aa225ba3a63b1c

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2022-48910
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	net/ipv6/addrconf.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9a8736b2da28b24f01707f592ff059b9f90a058c
	https://git.kernel.org/stable/c/c71bf3229f9e9dd60ba02f5a5be02066edf57012
	https://git.kernel.org/stable/c/24888915364cfa410de62d8abb5df95c3b67455d
	https://git.kernel.org/stable/c/9588ac2eddc2f223ebcebf6e9f5caed84d32922b
	https://git.kernel.org/stable/c/f4c63b24dea9cc2043ff845dcca9aaf8109ea38a
	https://git.kernel.org/stable/c/b11781515208dd31fbcd0b664078dce5dc44523f
	https://git.kernel.org/stable/c/72124e65a70b84e6303a5cd21b0ac1f27d7d61a4
	https://git.kernel.org/stable/c/9995b408f17ff8c7f11bc725c8aa225ba3a63b1c