CVE-2022-48910

{"id": "CVE-2022-48910", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-22T02:15:05.403", "references": [{"url": "https://git.kernel.org/stable/c/72124e65a70b84e6303a5cd21b0ac1f27d7d61a4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9588ac2eddc2f223ebcebf6e9f5caed84d32922b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9995b408f17ff8c7f11bc725c8aa225ba3a63b1c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9a8736b2da28b24f01707f592ff059b9f90a058c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/b11781515208dd31fbcd0b664078dce5dc44523f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c71bf3229f9e9dd60ba02f5a5be02066edf57012", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f4c63b24dea9cc2043ff845dcca9aaf8109ea38a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: ipv6: ensure we call ipv6_mc_down() at most once\n\nThere are two reasons for addrconf_notify() to be called with NETDEV_DOWN:\neither the network device is actually going down, or IPv6 was disabled\non the interface.\n\nIf either of them stays down while the other is toggled, we repeatedly\ncall the code for NETDEV_DOWN, including ipv6_mc_down(), while never\ncalling the corresponding ipv6_mc_up() in between. This will cause a\nnew entry in idev->mc_tomb to be allocated for each multicast group\nthe interface is subscribed to, which in turn leaks one struct ifmcaddr6\nper nontrivial multicast group the interface is subscribed to.\n\nThe following reproducer will leak at least $n objects:\n\nip addr add ff2e::4242/32 dev eth0 autojoin\nsysctl -w net.ipv6.conf.eth0.disable_ipv6=1\nfor i in $(seq 1 $n); do\n\tip link set up eth0; ip link set down eth0\ndone\n\nJoining groups with IPV6_ADD_MEMBERSHIP (unprivileged) or setting the\nsysctl net.ipv6.conf.eth0.forwarding to 1 (=> subscribing to ff02::2)\ncan also be used to create a nontrivial idev->mc_list, which will the\nleak objects with the right up-down-sequence.\n\nBased on both sources for NETDEV_DOWN events the interface IPv6 state\nshould be considered:\n\n - not ready if the network interface is not ready OR IPv6 is disabled\n for it\n - ready if the network interface is ready AND IPv6 is enabled for it\n\nThe functions ipv6_mc_up() and ipv6_down() should only be run when this\nstate changes.\n\nImplement this by remembering when the IPv6 state is ready, and only\nrun ipv6_mc_down() if it actually changed from ready to not ready.\n\nThe other direction (not ready -> ready) already works correctly, as:\n\n - the interface notification triggered codepath for NETDEV_UP /\n NETDEV_CHANGE returns early if ipv6 is disabled, and\n - the disable_ipv6=0 triggered codepath skips fully initializing the\n interface as long as addrconf_link_ready(dev) returns false\n - calling ipv6_mc_up() repeatedly does not leak anything"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: net: ipv6: aseg\u00farese de llamar a ipv6_mc_down() como m\u00e1ximo una vez. Hay dos razones para llamar a addrconf_notify() con NETDEV_DOWN: o el dispositivo de red realmente est\u00e1 cayendo o IPv6 estaba deshabilitado en la interfaz. Si alguno de ellos permanece inactivo mientras el otro est\u00e1 activado, llamamos repetidamente al c\u00f3digo para NETDEV_DOWN, incluido ipv6_mc_down(), pero nunca llamamos al ipv6_mc_up() correspondiente en el medio. Esto har\u00e1 que se asigne una nueva entrada en idev->mc_tomb para cada grupo de multidifusi\u00f3n al que est\u00e9 suscrita la interfaz, lo que a su vez filtrar\u00e1 una estructura ifmcaddr6 por cada grupo de multidifusi\u00f3n no trivial al que est\u00e9 suscrita la interfaz. El siguiente reproductor filtrar\u00e1 al menos $n objetos: ip addr add ff2e::4242/32 dev eth0 autojoin sysctl -w net.ipv6.conf.eth0.disable_ipv6=1 for i in $(seq 1 $n); configurar el enlace ip eth0; ip link set down eth0 done Unirse a grupos con IPV6_ADD_MEMBERSHIP (sin privilegios) o configurar sysctl net.ipv6.conf.eth0.forwarding en 1 (=> suscribirse a ff02::2) tambi\u00e9n se puede usar para crear un idev->mc_list no trivial , que filtrar\u00e1 objetos con la secuencia correcta de arriba a abajo. Seg\u00fan ambas fuentes de eventos NETDEV_DOWN, se debe considerar el estado de la interfaz IPv6: - no lista si la interfaz de red no est\u00e1 lista O IPv6 est\u00e1 deshabilitado - lista si la interfaz de red est\u00e1 lista Y IPv6 est\u00e1 habilitada Las funciones ipv6_mc_up() e ipv6_down() solo debe ejecutarse cuando este estado cambie. Implemente esto recordando cu\u00e1ndo el estado de IPv6 est\u00e1 listo y solo ejecute ipv6_mc_down() si realmente cambi\u00f3 de listo a no listo. La otra direcci\u00f3n (no listo -> listo) ya funciona correctamente, ya que: - la ruta de c\u00f3digo activada de notificaci\u00f3n de interfaz para NETDEV_UP / NETDEV_CHANGE regresa antes si ipv6 est\u00e1 deshabilitado, y - la ruta de c\u00f3digo activada enable_ipv6=0 omite la inicializaci\u00f3n completa de la interfaz siempre que addrconf_link_ready (dev) devuelve falso: llamar a ipv6_mc_up() repetidamente no filtra nada"}], "lastModified": "2024-09-12T13:31:57.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "927E10B9-07A2-4D21-B518-62246BE28995", "versionEndExcluding": "4.9.313", "versionStartIncluding": "3.18"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "050329AA-B7D6-45EA-9341-E396DC054423", "versionEndExcluding": "4.14.278", "versionStartIncluding": "4.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A014E697-B30F-4699-8F9E-0FB4E2BB359C", "versionEndExcluding": "5.4.193", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "764998FC-D1F7-4BAA-BD56-A553C7AB8F08", "versionEndExcluding": "5.10.104", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B3A8E092-3021-4A34-8DCE-B89D2238818B", "versionEndExcluding": "5.15.27", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B871B667-EDC0-435D-909E-E918D8D90995", "versionEndExcluding": "5.16.13", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B2D2677C-5389-4AE9-869D-0F881E80D923"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc5:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFA3917C-C322-4D92-912D-ECE45B2E7416"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc6:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BED18363-5ABC-4639-8BBA-68E771E5BB3F"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}