|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2022-0742: kernel: bug memory leaks in ICMPv6 handlers | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Alexander Bergmann <abergmann> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | abergmann, gianluca.gabrielli, jbohac, meissner, mkubecek, smash_bz, sweiberg, tiwai, vbabka |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/326212/ | ||
| Whiteboard: | |||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1197129 | ||
As far as I can see, recent commit 2d3916f31891 ("ipv6: fix skb drops in
igmp6_event_query() and igmp6_event_report()"), present in mainline 5.17-rc7
and stable 5.16.13, should address the issue as described in the initial
comment.
introduced f185de28d9ae v5.13-rc1
fixed 2d3916f31891 v5.17-rc7
The offending commit has not been backported into any pre-5.13 branch and
stable and master received the fix already so only SLE15-SP4 should need it.
From: "sirdarckcat ." <sirdarckcat@chromium.org> Subject: [oss-security] CVE-2022-0742: Remote Denial of Service on Linux Kernel >=5.13 icmp6 Flooding icmp6 messages of type 130 or 131 is enough to exploit a memory leak in the kernel and cause the host to go out-of-memory. The volume of traffic doesn't need to be particularly high. Note that since the vulnerability was introduced recently (5.13) only 5.15's stable was affected. This vulnerability was found/fixed by Eric Dumazet. CVE will land on MITRE's website sometime this week. This was fixed on https://kernel.dance/2d3916f3189172d5c69d33065c3c21119fe539fc "the commit landed on upstream on": [ { "tags": "tags/v5.17-rc7~18^2" } ], "the commit was backported to": [ { "tags": "tags/v5.16.13~140", "commit": "5ed9983ce67341b405cf6fda826e29aed26a7371" }, { "tags": "tags/v5.15.27~216", "commit": "771aca9bc70709771f66c3e7c00ce87339aa1790" } ], "the commit fixes a bug introduced by": [ { "fixes": "f185de28d9ae (\"mld: add new workqueues for process mld events\")" } ], "the buggy commit landed on upstream on": [ { "tags": "tags/v5.13-rc1~94^2~371^2~1", "commit": "f185de28d9ae6c978135993769352e523ee8df06" } ], Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d3916f3189172d5c69d33065c3c21119fe539fc ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report() While investigating on why a synchronize_net() has been added recently in ipv6_mc_down(), I found that igmp6_event_query() and igmp6_event_report() might drop skbs in some cases. Discussion about removing synchronize_net() from ipv6_mc_down() will happen in a different thread. Fixes: f185de28d9ae ("mld: add new workqueues for process mld events") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Taehee Yoo <ap420073@gmail.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: David Ahern <dsahern@kernel.org> Link: https://lore.kernel.org/r/20220303173728.937869-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Timeline: Following https://about.google/appsecurity/ policy: Feb 23, 2022 - Discovery / Shared with network upstream maintainers, reproduced, patch confirmed to work, CVE reserved Feb 25, 2022 - security@kernel.org decides fix/disclosure timeline Mar 3, 2022 - Patch lands on mainline (Linus tree) 2d3916f3189172d5c69d33065c3c21119fe539fc Mar 8, 2022 - Patch lands on stable (5.15/5.16) Mar 15, 2022 - This email is sent (public disclosure of vuln details) The fix has been submitted to
SLE15-SP4 86ba959dfd70 *
No other branch needs it.
Reassigning back to security team.
I wonder if this should rather go to SLE15-SP4-GA? (In reply to Vlastimil Babka from comment #5) > I wonder if this should rather go to SLE15-SP4-GA? Michal resubmitted to GA, I merged. yes, definitely should be fixed in GA |
rh#2059294 A flaw in the Linux Kernel found. If looking at a suspect synchronize_net() added in the blamed commit f185de28d9ae ("mld: add new workqueues for process mld events"), I found that igmp6_event_query() and igmp6_event_report() simply forget to free skbs when their respective queues are full. The fix is for the void mld_process_v2(..) in net/ipv6/mcast.c This means that attackers can remotely OOM hosts, which is not nice. References: https://bugzilla.redhat.com/show_bug.cgi?id=2059294 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0742