Bug 2059294 (CVE-2022-0742)

Summary: CVE-2022-0742 kernel: bug memory leaks in ICMPv6 handlers
Product: [Other] Security Response Reporter: Alex <allarkin>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, joe.lawrence, jonathan, josef, jshortt, jstancek, jwboyer, jwyatt, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, security-response-team, steved, vkumar, walters, williams, zulinx86
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Linux kernel 5.17-rc7 Doc Type: If docs needed, set a value
Doc Text:
A memory leak flaw was found in the Linux kernel’s ICMPv6 networking protocol, in the way a user generated malicious ICMPv6 packets. This flaw allows a remote user to crash the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 12:16:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 2059308, 2059309, 2063534    
Bug Blocks: 2059178    

Description Alex 2022-02-28 16:46:35 UTC
A flaw in the Linux Kernel found.
If looking at a suspect synchronize_net() added in the blamed commit
f185de28d9ae ("mld: add new workqueues for process mld events"),
I found that igmp6_event_query() and igmp6_event_report()
simply forget to free skbs when their respective queues are full.

The fix is for the
void mld_process_v2(..)
in net/ipv6/mcast.c

This means that attackers can remotely OOM hosts, which is not nice.

TODO add link to patch when public

Comment 5 Alex 2022-03-13 14:02:32 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2063534]

Comment 6 Justin M. Forbes 2022-03-16 15:51:11 UTC
This was fixed for Fedora with the 5.16.13 stable kernel updates.

Comment 7 Product Security DevOps Team 2022-05-17 12:16:08 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):