Bug 1197128 - (CVE-2022-0742) VUL-0: CVE-2022-0742: kernel: bug memory leaks in ICMPv6 handlers
(CVE-2022-0742)
VUL-0: CVE-2022-0742: kernel: bug memory leaks in ICMPv6 handlers
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/326212/
:
Depends on:
Blocks: 1197129
  Show dependency treegraph
 
Reported: 2022-03-15 13:18 UTC by Alexander Bergmann
Modified: 2022-07-21 20:34 UTC (History)
9 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2022-03-15 13:18:48 UTC
rh#2059294

A flaw in the Linux Kernel found.
If looking at a suspect synchronize_net() added in the blamed commit
f185de28d9ae ("mld: add new workqueues for process mld events"),
I found that igmp6_event_query() and igmp6_event_report()
simply forget to free skbs when their respective queues are full.

The fix is for the
void mld_process_v2(..)
in net/ipv6/mcast.c

This means that attackers can remotely OOM hosts, which is not nice.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2059294
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0742
Comment 2 Michal Kubeček 2022-03-15 15:41:18 UTC
As far as I can see, recent commit 2d3916f31891 ("ipv6: fix skb drops in
igmp6_event_query() and igmp6_event_report()"), present in mainline 5.17-rc7
and stable 5.16.13, should address the issue as described in the initial
comment.

        introduced              f185de28d9ae    v5.13-rc1
        fixed                   2d3916f31891    v5.17-rc7

The offending commit has not been backported into any pre-5.13 branch and
stable and master received the fix already so only SLE15-SP4 should need it.
Comment 3 Marcus Meissner 2022-03-15 18:40:17 UTC
From: "sirdarckcat ." <sirdarckcat@chromium.org>
Subject: [oss-security] CVE-2022-0742: Remote Denial of Service on Linux Kernel >=5.13 icmp6

Flooding icmp6 messages of type 130 or 131 is enough to exploit a
memory leak in the kernel and cause the host to go out-of-memory. The
volume of traffic doesn't need to be particularly high. Note that
since the vulnerability was introduced recently (5.13) only 5.15's
stable was affected.

This vulnerability was found/fixed by Eric Dumazet.

CVE will land on MITRE's website sometime this week.

This was fixed on https://kernel.dance/2d3916f3189172d5c69d33065c3c21119fe539fc
 "the commit landed on upstream on": [
  {
   "tags": "tags/v5.17-rc7~18^2"
  }
 ],
 "the commit was backported to": [
  {
   "tags": "tags/v5.16.13~140",
   "commit": "5ed9983ce67341b405cf6fda826e29aed26a7371"
  },
  {
   "tags": "tags/v5.15.27~216",
   "commit": "771aca9bc70709771f66c3e7c00ce87339aa1790"
  }
 ],
 "the commit fixes a bug introduced by": [
  {
   "fixes": "f185de28d9ae (\"mld: add new workqueues for process mld events\")"
  }
 ],
 "the buggy commit landed on upstream on": [
  {
   "tags": "tags/v5.13-rc1~94^2~371^2~1",
   "commit": "f185de28d9ae6c978135993769352e523ee8df06"
  }
 ],

Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=2d3916f3189172d5c69d33065c3c21119fe539fc
ipv6: fix skb drops in igmp6_event_query() and igmp6_event_report()
While investigating on why a synchronize_net() has been added recently
in ipv6_mc_down(), I found that igmp6_event_query() and igmp6_event_report()
might drop skbs in some cases.

Discussion about removing synchronize_net() from ipv6_mc_down()
will happen in a different thread.

Fixes: f185de28d9ae ("mld: add new workqueues for process mld events")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Taehee Yoo <ap420073@gmail.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20220303173728.937869-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Timeline:

Following https://about.google/appsecurity/ policy:

Feb 23, 2022  - Discovery / Shared with network upstream maintainers,
reproduced, patch confirmed to work, CVE reserved
Feb 25, 2022 - security@kernel.org decides fix/disclosure timeline
Mar 3, 2022 - Patch lands on mainline (Linus tree)
2d3916f3189172d5c69d33065c3c21119fe539fc
Mar 8, 2022 - Patch lands on stable (5.15/5.16)
Mar 15, 2022 - This email is sent (public disclosure of vuln details)
Comment 4 Michal Kubeček 2022-03-15 18:54:47 UTC
The fix has been submitted to

    SLE15-SP4               86ba959dfd70 *

No other branch needs it.

Reassigning back to security team.
Comment 5 Vlastimil Babka 2022-03-16 18:47:25 UTC
I wonder if this should rather go to SLE15-SP4-GA?
Comment 6 Vlastimil Babka 2022-03-16 21:59:08 UTC
(In reply to Vlastimil Babka from comment #5)
> I wonder if this should rather go to SLE15-SP4-GA?

Michal resubmitted to GA, I merged.
Comment 7 Marcus Meissner 2022-03-17 08:15:29 UTC
yes, definitely should be fixed in GA