Bug 2258584 (CVE-2024-0584)

Summary: CVE-2024-0584 kernel: refcnt uaf issue when receiving igmp query packet in igmp_start_timer
Product: [Other] Security Response Reporter: Rohit Keshri <rkeshri>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, allarkin, bhu, chwhite, cye, cyin, dbohanno, debarbos, dfreiber, drow, dvlasenk, ezulian, haliu, hkrzesin, jarod, jburrell, jdenham, jfaracco, jforbes, jlelli, joe.lawrence, jshortt, jstancek, jwyatt, kcarcia, ldoskova, lgoncalv, lzampier, mmilgram, mstowell, nmurray, ptalbert, rparrazo, rrobaina, rvrbovsk, rysulliv, scweaver, sidakwo, tglozar, tyberry, vkumar, wcosta, williams, wmealing, ycote, ykopkova, zhijwang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Kernel 6.7-rc4 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free issue was found in igmp_start_timer in net/ipv4/igmp.c in the network sub-component in the Linux Kernel. This flaw allows a local user to observe a refcnt use-after-free issue when receiving an igmp query packet, leading to a kernel information leak.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-21 09:05:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2258583    

Description Rohit Keshri 2024-01-16 11:49:10 UTC 
A use-after-free issue was found in igmp_start_timer in net/ipv4/igmp.c in network sub-component in the Linux Kernel. In this flaw a local user may observe a refcnt use after free issue when receiving igmp query packet, and could lead to a kernel information leak problem.

When the device receives an IGMPv2 Query message, it starts the timer immediately, regardless of whether the device is running. If the device is down and has left the multicast group, it will cause the mc list refcount uaf issue.

https://lore.kernel.org/netdev/170083982540.9628.4546899811301303734.git-patchwork-notify@kernel.org/T/
Comment 4 Hangbin Liu 2024-01-19 00:55:28 UTC 
Hi Rohit,

You have opened the same issue with CVE-2023-6932. Am I missing something?

Thanks
Hangbin
Comment 5 Rohit Keshri 2024-01-21 09:05:58 UTC 
In reply to comment #4:
> Hi Rohit,
> 
> You have opened the same issue with CVE-2023-6932. Am I missing something?
> 
> Thanks
> Hangbin

Hi Hangbin, Yes I see the same. I am closing this as a duplicate of CVE-2023-6932. Thank you.

*** This bug has been marked as a duplicate of bug 2255283 ***