CVE-2022-48910

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> net: ipv6: ensure we call ipv6_mc_down() at most once<br /> <br /> There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:<br /> either the network device is actually going down, or IPv6 was disabled<br /> on the interface.<br /> <br /> If either of them stays down while the other is toggled, we repeatedly<br /> call the code for NETDEV_DOWN, including ipv6_mc_down(), while never<br /> calling the corresponding ipv6_mc_up() in between. This will cause a<br /> new entry in idev-&gt;mc_tomb to be allocated for each multicast group<br /> the interface is subscribed to, which in turn leaks one struct ifmcaddr6<br /> per nontrivial multicast group the interface is subscribed to.<br /> <br /> The following reproducer will leak at least $n objects:<br /> <br /> ip addr add ff2e::4242/32 dev eth0 autojoin<br /> sysctl -w net.ipv6.conf.eth0.disable_ipv6=1<br /> for i in $(seq 1 $n); do<br /> ip link set up eth0; ip link set down eth0<br /> done<br /> <br /> Joining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the<br /> sysctl net.ipv6.conf.eth0.forwarding to 1 (=&gt; subscribing to ff02::2)<br /> can also be used to create a nontrivial idev-&gt;mc_list, which will the<br /> leak objects with the right up-down-sequence.<br /> <br /> Based on both sources for NETDEV_DOWN events the interface IPv6 state<br /> should be considered:<br /> <br /> - not ready if the network interface is not ready OR IPv6 is disabled<br /> for it<br /> - ready if the network interface is ready AND IPv6 is enabled for it<br /> <br /> The functions ipv6_mc_up() and ipv6_down() should only be run when this<br /> state changes.<br /> <br /> Implement this by remembering when the IPv6 state is ready, and only<br /> run ipv6_mc_down() if it actually changed from ready to not ready.<br /> <br /> The other direction (not ready -&gt; ready) already works correctly, as:<br /> <br /> - the interface notification triggered codepath for NETDEV_UP /<br /> NETDEV_CHANGE returns early if ipv6 is disabled, and<br /> - the disable_ipv6=0 triggered codepath skips fully initializing the<br /> interface as long as addrconf_link_ready(dev) returns false<br /> - calling ipv6_mc_up() repeatedly does not leak anything