2258584 – (CVE-2024-0584) CVE-2024-0584 kernel: refcnt uaf issue when receiving igmp query packet in igmp_start_timer

Bug 2258584 (CVE-2024-0584) - CVE-2024-0584 kernel: refcnt uaf issue when receiving igmp query packet in igmp_start_timer

Summary: CVE-2024-0584 kernel: refcnt uaf issue when receiving igmp query packet in ig...

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2024-0584
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2258583
TreeView+	depends on / blocked

Reported:	2024-01-16 11:49 UTC by Rohit Keshri
Modified:	2024-02-26 14:21 UTC (History)
CC List:	47 users (show)
Fixed In Version:	Kernel 6.7-rc4
Doc Type:	If docs needed, set a value
Doc Text:	A use-after-free issue was found in igmp_start_timer in net/ipv4/igmp.c in the network sub-component in the Linux Kernel. This flaw allows a local user to observe a refcnt use-after-free issue when receiving an igmp query packet, leading to a kernel information leak.
Clone Of:
Environment:
Last Closed:	2024-01-21 09:05:58 UTC
Embargoed:

Attachments	(Terms of Use)

Description Rohit Keshri 2024-01-16 11:49:10 UTC

A use-after-free issue was found in igmp_start_timer in net/ipv4/igmp.c in network sub-component in the Linux Kernel. In this flaw a local user may observe a refcnt use after free issue when receiving igmp query packet, and could lead to a kernel information leak problem.

When the device receives an IGMPv2 Query message, it starts the timer immediately, regardless of whether the device is running. If the device is down and has left the multicast group, it will cause the mc list refcount uaf issue.

https://lore.kernel.org/netdev/170083982540.9628.4546899811301303734.git-patchwork-notify@kernel.org/T/

Comment 4 Hangbin Liu 2024-01-19 00:55:28 UTC

Hi Rohit,

You have opened the same issue with CVE-2023-6932. Am I missing something?

Thanks
Hangbin

Comment 5 Rohit Keshri 2024-01-21 09:05:58 UTC

In reply to comment #4:
> Hi Rohit,
> 
> You have opened the same issue with CVE-2023-6932. Am I missing something?
> 
> Thanks
> Hangbin

Hi Hangbin, Yes I see the same. I am closing this as a duplicate of CVE-2023-6932. Thank you.

*** This bug has been marked as a duplicate of bug 2255283 ***

Note You need to log in before you can comment on or make changes to this bug.

acaringi
allarkin
bhu
chwhite
cye
cyin
dbohanno
debarbos
dfreiber
drow
dvlasenk
ezulian
haliu
hkrzesin
jarod
jburrell
jdenham
jfaracco
jforbes
jlelli
joe.lawrence
jshortt
jstancek
jwyatt
kcarcia
ldoskova
lgoncalv
lzampier
mmilgram
mstowell
nmurray
ptalbert
rparrazo
rrobaina
rvrbovsk
rysulliv
scweaver
sidakwo
tglozar
tyberry
vkumar
wcosta
williams
wmealing
ycote
ykopkova
zhijwang