CVE-2022-1462: Uncovering the TeleTYpe Subsystem Out-of-Bounds Read Flaw in the Linux Kernel

A new vulnerability, tagged as CVE-2022-1462, was discovered in the Linux kernel’s TeleTYpe subsystem (TTY). This out-of-bounds read flaw can cause undesired consequences, such as crashing the system or allowing a local user to read unauthorized random data from memory. It is triggered through a race condition using the ioctls (input-output control system calls) TIOCSPTLCK, TIOCGPTPEER, TIOCSTI, and TCXONC.

In this post, we will discuss the details of CVE-2022-1462, provide code snippets showing its impact, and point to the original references and exploit details.

Code Snippet

Consider the following code snippet, showcasing the issue in the Linux kernel's TTY subsystem related to the flush_to_ldisc function:

static void flush_to_ldisc(struct work_struct *work)
{
   struct tty_struct *tty = container_of(work, struct tty_struct, buf.work);
   struct n_tty_data *ldata = tty->disc_data;
   unsigned long flags;
   unsigned char *buf;
   int count;

   spin_lock_irqsave(&ldata->read_lock, flags);
   buf = ldata->read_buf;

   do {
       if (test_bit(TTY_FLUSHING, &tty->flags)) {
           set_bit(TTY_FLUSHING, &tty->flags);
           break;
       }
       count = read_cnt(ldata);
       if (!count)
           break;
       memcpy(buf, read_buf_addr(ldata), count);
       spin_unlock_irqrestore(&ldata->read_lock, flags);
       ldisc_receive_buf(tty, buf, NULL, count);
       spin_lock_irqsave(&ldata->read_lock, flags);
   } while (1);
   spin_unlock_irqrestore(&ldata->read_lock, flags);
   tty_write_flush(tty_door);
}

The problematic area here is the memcpy function call, which can copy a specific amount of data from the source memory block to the specified destination memory block. Due to the mentioned race condition, an out-of-bounds read may occur, leading the system to crash or leaking unauthorized memory content to a local user.

Original References

The official CVE record for the vulnerability: CVE-2022-1462

The National Vulnerability Database (NVD) webpage: CVE-2022-1462

Exploit Details

The race condition is triggered using the ioctls TIOCSPTLCK, TIOCGPTPEER, TIOCSTI, and TCXONC. A malicious user may take advantage of this flaw by crafting a well-timed sequence of ioctl calls. This series of calls will cause inconsistencies within the memory buffer during the usage of the flush_to_ldisc function, subsequently leading to an out-of-bounds read flaw.Exploiting this vulnerability allows unauthorized memory access, which can reveal random data from memory and crash the operating system.

It's important to note that this vulnerability primarily impacts systems where a local user has already obtained some degree of access. To mitigate this risk, system administrators should restrict access controls and enforce proper permission management.

In summary, CVE-2022-1462 is an out-of-bounds read flaw in the Linux kernel's TeleTYpe subsystem that comes to effect due to a race condition induced by ioctl calls, ultimately causing system crashes and unauthorized memory data leaks. It's vital to stay informed about vulnerabilities like CVE-2022-1462 to keep your systems secure and up to date.

Timeline

Published on: 06/02/2022 14:15:00 UTC
Last modified on: 06/10/2022 14:55:00 UTC