ipv4 IGMP Timer UAF

Vulnerability analysis

Summary: A race condition in the IPv4 IGMP (Internet Group Management Protocol) implementation allows a timer to be registered on a multicast list object that has already been freed by another thread, leading to a use-after-free vulnerability.

Root Cause: The original code in igmp_start_timer() used mod_timer() followed by refcount_inc() without proper synchronization. This created a race window where Thread A could decrement the reference count to zero and free the multicast list object while Thread B was attempting to start a timer on the same object. The refcount_inc() would then operate on freed memory.

Attack Surface: This vulnerability can be triggered by network packets (IGMPv2 query messages) sent to a system with bridge interfaces configured with multicast addresses. The race condition is more likely to occur when bridge interfaces are rapidly brought up and down while receiving IGMP traffic. Local access is required to configure the network interfaces, but the triggering packets can come from the network.

Fix Mechanism: The patch replaces the unsafe sequence with refcount_inc_not_zero() which atomically checks if the reference count is non-zero before incrementing it. If the increment succeeds, it then calls mod_timer(), and if mod_timer() indicates the timer was already pending, it decrements the reference count with ip_ma_put(). This ensures the object cannot be freed while the timer is being set up.