CVE-2022-1198 - Crashing the Linux Kernel via Use-After-Free in the 6pack HAM Radio Driver

Linux is famous for its reliability, but sometimes even the best code slips up. In 2022, a nasty bug—CVE-2022-1198—was discovered in the driver for old HAM radio hardware, specifically the 6pack protocol (drivers/net/hamradio/6pack.c). This flaw lets an attacker from user space crash the whole Linux kernel by simulating an AX.25 network device using the 6pack driver.

If you’re curious about kernel security, or worry about legacy drivers, this exclusive post will explain the CVE in plain language, show you the vulnerable code, and walk through how an attack works.

What is the 6pack Driver?

The 6pack driver is a rarely used part of the Linux networking stack, supporting amateur (HAM) radio modems using the AX.25 packet protocol. It lets hardware talk to Linux’s networking as if it were a network interface.

For most people, this is an obscure feature, but it’s in the mainline kernel and sometimes enabled by distributions or custom kernels.

What is "Use-After-Free"?

A use-after-free bug happens when a piece of memory is freed, but the program keeps using the pointer to it. If that memory is reused for something else, chaos can follow: from harmless crashes to real code execution by attackers.

Where is the bug?

The vulnerable code is in drivers/net/hamradio/6pack.c and handles attaching network devices. Here’s a simplified look at the problem area:

static int sp_open(struct net_device *dev)
{
    struct sp_struct *sp = netdev_priv(dev);

    // ... some setup code ...

    if (open_failed) {
        free_netdev(dev);      // device is freed here
        return -ENODEV;
    }

    // ... further code ...
}

Later, because of how this driver is set up, that freed device can still get referenced. By manipulating the order of operations, an attacker can trigger a use-after-free.

How Can This from User Space?

Attackers can simulate devices using standard Linux tools (ip, ifconfig, ioctl, etc.). If they can add an AX.25 device with the 6pack driver and cause sp_open() to fail, the code will free_netdev(dev) too early, but kernel data structures may still reference it.

When the code then makes another reference—like ifconfig downing the interface, or removing it—the kernel could access a dangling pointer. This causes a kernel panic (OOPS), and Linux crashes.

Here’s a simple (dangerous!) example, adapted from research and public advisories

# WARNING: This can CRASH your kernel! Run in a VM or test box only!

# Add a dummy 6pack interface. (Assume sp isn’t taken)
sudo ip link add name sp type ax25hw hwtype 6pack

# Try to bring interface up; if driver fails during open...
sudo ip link set sp up

# (Depending on the kernel and driver compile options, this may crash the kernel right away.)

The key is to create a scenario where the device fails to open, but is still referenced afterwards. This forces the vulnerable logic path in sp_open(). Advanced attackers could script this sequence, or exploit exact driver errors for a precise crash.


## Code Snippet: The Core Bug (from upstream commit)

Here’s the relevant upstream fix, with highlights

- if (open_failed) {
-     free_netdev(dev);
-     return -ENODEV;
- }
+ if (open_failed) {
+     return -ENODEV;
+ }

What changed?
The bad code called free_netdev(dev) in sp_open(). In proper Linux kernel networking, the device should only be freed when the networking core tells it to do so, not inside the open function. The fix removes the premature free, letting the right kernel subsystem handle it.

Exploit Impact

- Unprivileged Crash: Attackers don’t need root, just the ability to manage network devices on Linux.
- Denial of Service: This vulnerability lets anyone on the system crash the OS, making it a denial-of-service (DoS) attack.
- No Code Execution (yet): As of publication, the bug leads to crashes. More sophisticated exploits—targeting specific memory layouts—could maybe go further.

CVE-2022-1198 Official Description:

https://nvd.nist.gov/vuln/detail/CVE-2022-1198

Upstream Linux kernel fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=389bc095a7c61d62c5e6dae8006c3e7ac955dabb

OSS-Security Advisory:

https://www.openwall.com/lists/oss-security/2022/04/04/3

AX.25 and 6pack Drivers in Linux:

https://www.kernel.org/doc/html/latest/networking/hamradio/ax25.html

How to Protect Yourself

- Update your kernel to a version with the fix (April 2022 or later mainline, or your distro’s patched kernel).

Disable hamradio modules if you don’t use them:

Add blacklist 6pack and blacklist ax25 to /etc/modprobe.d/blacklist.conf.
- Drop extra capabilities: Use containers, or eliminate untrusted users with network device privileges.

Final Thoughts

CVE-2022-1198 shows how even "ancient" drivers for odd hardware can bring down cutting-edge Linux systems. If you run servers, always trim your kernel to only what you really need—and stay up to date with patches!

If you want to experiment with this bug, use a VM or a lab system. Don’t try it on a machine you care about, as it can freeze or damage your filesystems.

Stay safe, keep patching, and remember: even the weirdest code can bite!

Timeline

Published on: 08/29/2022 15:15:00 UTC
Last modified on: 09/06/2022 18:23:00 UTC