CVE-2022-1195 - Use-After-Free Vulnerability in the Linux Kernel's Hamradio Drivers, Allowing Denial of Service and Reclamation of Resources Early

A recent vulnerability, identified as CVE-2022-1195, has been discovered in the Linux kernel, affecting the drivers/net/hamradio directory. This use-after-free flaw potentially allows a local attacker with user privileges to cause denial of service (DOS) and reclaim resources early when the hamradio devices, specifically the mkiss or sixpack devices, are detached. In this article, we will delve into the details of the exploit, as well as provide code snippets and links to original references.

Background on Hamradio Drivers

Hamradio drivers are designed for use with amateur radio devices and protocols. Two such devices are the mkiss (multi-keyed information storage system) and sixpack amateur radio device drivers. These drivers handle preliminary kernel-level operations for the communication devices before they are handed off to user-space programs.

The Vulnerability - Use-After-Free

The use-after-free vulnerability (CVE-2022-1195) affects the mkiss and sixpack device drivers, which are located in drivers/net/hamradio directory of the Linux kernel. This flaw is due to the incorrect handling of memory allocation and deallocation when releasing resources upon device detachment. Essentially, the kernel references memory space that has already been freed, leading to undefined behavior or, in this case, denial of service.

Exploit Details

The exploit presents itself when a local attacker with user privileges detaches an mkiss or sixpack device, causing an unintentional reclamation of resources prior to their intended release. As a result, this vulnerability could be exploited for denial of service (DOS) attacks against the hamradio device drivers. An attacker would need to gain access to the system as a non-root user and remove the device, which would then be subsequently detached and trigger the flaw.

To illustrate the code flaw, consider the following snippet from drivers/net/hamradio/mkiss.c

static int mkiss_release(struct tty_struct *tty)
{
 struct mkiss *ax = tty->disc_data;
 int err;

  if (!ax) {
    return ;
 }
...
 kfree_skb(ax->skb);
 kfree(ax->buf);
 kfree(ax);
 tty->disc_data = NULL;
...
 return err;
}

The issue can be seen in the mkiss_release function. When the function is called to release the resources, there is a premature deallocation of memory (e.g., the kfree calls) before clearing the tty->disc_data pointer. This leads to a use-after-free vulnerability when the memory is referenced again later.

Proposed Fix

As mentioned in the Linux kernel mailing list, a proposed patch has been submitted that adjusts the order in which memory is freed and the tty->disc_data pointer is cleared, to prevent the use of freed memory:

static int mkiss_release(struct tty_struct *tty)
{
 struct mkiss *ax = tty->disc_data;
 int err;

 if (!ax) {
  return ;
 }
...
 tty->disc_data = NULL;
 kfree_skb(ax->skb);
 kfree(ax->buf);
 kfree(ax);
...
 return err;
}

Conclusion

CVE-2022-1195 is a use-after-free vulnerability in the Linux kernel's hamradio device drivers, specifically targeting the mkiss and sixpack devices. It allows a local attacker with user privileges to trigger denial of service attacks and reclaim resources early, which can cause issues related to the system's stability and availability. To mitigate this vulnerability, users are advised to patch their Linux kernel with the proposed fix or follow any available updates related to this issue.

Timeline

Published on: 04/29/2022 16:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC