CVE-2022-0382: Uninitialized Memory Leak in Linux Kernel's TIPC Protocol Subsystem - Exploit and Mitigation

A recently discovered vulnerability, CVE-2022-0382, highlights an information leak flaw due to uninitialized memory in the Linux kernel's Transparent Inter-Process Communication (TIPC) protocol subsystem. This vulnerability can be exploited by a local user to read a small amount of kernel memory. However, the issue is limited to no more than seven bytes, and the user cannot control what is read. The flaw affects Linux kernel versions prior to 5.17-rc1.

Details

The TIPC vulnerability results from how the Linux kernel handles the sending of TIPC datagrams to one or more destinations. The tipc_sendmsg() function, which is used to send messages controlled by user-space applications through the TIPC protocol, exposes a small uninitialized memory region in the TIPC message header during transmission.

Below is a code snippet demonstrating the issue in net/tipc/socket.c file

static int tipc_sendmsg(struct sock *sk, struct msghdr *m, size_t d_len)
{
  ...
  struct tipc_skb_cb *skb_cb = TIPC_SKB_CB(skb);
  struct tipc_msg *msg;

  ...
  skb_pull(skb, hdrlen);
  msg = buf_msg(skb);
  
  /* Adjust header after user data has been inserted */
  tipc_msg_set_size(msg, msg_data_sz);
  
  tipc_msg_set_type(msg, TIPC_DIRECT_MSG); // <-- uninitialized payload 7 bytes after this
  ...
}

In the code above, the uninitialized memory leak occurs after setting the message type using tipc_msg_set_type(). The user cannot control the leaked memory content, and it is limited to just seven bytes, reducing the overall risk associated with the flaw.

Exploit

Although the vulnerability allows a local user to read a few bytes of kernel memory, the exploit's practical impact is limited due to the inability to control the leaked content and the small amount of data exposed. There are no current reports of in-the-wild exploits for this vulnerability.

However, it is critical to address this information leak issue, as it could allow a malicious user to gather information on kernel memory layout, potentially giving them a stepping stone towards a more sophisticated attack.

Mitigation

The recommended way to mitigate this issue is by updating the Linux kernel to version 5.17-rc1 or later. For those who cannot immediately update their kernel, applying the following patch to the affected versions helps prevent the uninitialized memory leak.

diff --git a/net/tipc/msg.h b/net/tipc/msg.h
index 81284d3734e9..8c3762a8956d 100644
--- a/net/tipc/msg.h
+++ b/net/tipc/msg.h
@@ -422,6 +422,7 @@ static inline void tipc_msg_set_type(struct tipc_msg *m, u32 type)
 {
        m->hdr[TIPC_WORD(TYPE_DOMAIN)] &= ~TIPC_TYPE_MASK;
        m->hdr[TIPC_WORD(TYPE_DOMAIN)] |= (type << TIPC_TYPE_SHIFT);
+       memset((u32 *)&m->hdr + 8, , TIPC_MIN_HEADER / 4 - 8);
 }

In conclusion, while CVE-2022-0382 may have limited potential for immediate harm, it serves as a stark reminder of the need for continuous kernel security improvements and prompt response to security vulnerabilities.

Timeline

Published on: 02/11/2022 18:15:00 UTC
Last modified on: 02/22/2022 13:51:00 UTC