In 2022, researchers discovered a worrying vulnerability in the Linux kernel’s vmwgfx driver—CVE-2022-22942. If you run Linux on VMware virtual machines, this bug could let a regular user quietly snoop on files belonging to other users or root. Here’s a plain-English rundown, showing you what happened, why it’s a problem, and what you can do about it.

What is CVE-2022-22942?

The vmwgfx driver helps Linux systems work with VMware’s virtual graphics hardware. But a big mistake in its code left a dangling file pointer—like a lost note that says “look at this file”—permitting one user to access files other programs had opened. This is known as a local privilege escalation vulnerability.

CVSS base score: 7.8 (High)

- Affected component: Linux kernel’s drivers/gpu/drm/vmwgfx/

Fixed in: Linux kernel 5.13.19, 5.15.11, 5.16

> TL;DR: If someone breaks into a regular account, they can use this bug to read files from other users, or even root, without an admin knowing.

What’s a Dangling Pointer, and Why is This Bad?

In C code, a *pointer* is like a street address. A *dangling pointer* means the street is gone, but you still have the address, so if you go there something unpredictable might happen.

The vmwgfx code was supposed to clean up after itself. But it didn’t, and as a result, a user could reuse a file pointer from another process, peeking into private files.

Quick Look at the Bad Code

Here’s a simplified snippet to show where things went wrong. (You can see the original patch here: CVE-2022-22942 patch)

struct vmw_fpriv {
    struct file *file_priv;
    /* ... */
};

static int vmw_open(struct drm_device *dev, struct drm_file *file) {
    struct vmw_fpriv *vmw_fp;

    vmw_fp = kzalloc(sizeof(*vmw_fp), GFP_KERNEL);
    /* ... */
    vmw_fp->file_priv = file;
    /* ... */
    file->driver_priv = vmw_fp; // Connection made here
    return ;
}

static void vmw_release(struct drm_device *dev, struct drm_file *file) {
    struct vmw_fpriv *vmw_fp = file->driver_priv;
    /* ... */
    kfree(vmw_fp); // Oops! What about the file pointer?
}

The mistake:
After kfree(vmw_fp), the file_priv pointer could now refer to memory that’s already been reused for something else – in this case, potentially another file object. If an attacker times things just right, they can fool the kernel into giving them *access to files held open by someone else*.

Attackers exploit the bug in multiple steps

1. Open a file as one user (the victim), using an application that keeps it open (think: a system process or editor).
2. Open and close VMWare 3D devices rapidly as an attacker, causing the kernel to allocate and free the vmw_fpriv structure many times.
3. With careful timing, the attacker opens their own files right after the victim closes their vmw_fpriv, so the kernel reallocates the same spot in memory.
4. Now, the attacker can access the file that the victim left open, even though they shouldn’t be allowed.

Proof-of-Concept (PoC) Snippet

The proof-of-concept (PoC) code isn’t trivial because it requires tight timing and access to a VMware virtual GPU device. But here's a distilled version capturing the idea in pseudo-code:

// This is a stylized, not dangerous version for learning only!
fork(); // run victim and attacker in parallel

// Victim process
open("/etc/shadow", O_RDONLY);         // Open sensitive file, keep open
interact_with_vmw_device_as_victim();  // Hold file pointer

// Attacker process
for (;;) {
    open_and_close_vmw_device();       // Free and reallocate vmw_fpriv rapidly
    try_to_access_victim_file_pointer();
    if (can_read_victim_file()) {
        printf("Privileges escalated!\n");
        break;
    }
}

For the actual attack, see kernel-exploits GitHub.

Avoid reusing the same memory block without resetting it.

See the official kernel patch:
linux.git commit 20f3742a (kernel.org)

Update your kernel now. If you installed updates after December 2021, you’re probably fine.

- If you *cannot* update right away, restrict access to your system and consider disabling the vmwgfx module if it's not needed.

References and Further Reading

- NVD (National Vulnerability Database) CVE-2022-22942
- kernel.org patch (official fix)
- CVE Details – CVE-2022-22942
- kernel-exploits/CVE-2022-22942 POC

Conclusion

CVE-2022-22942 is a good reminder: even small mistakes in kernel code can have big security consequences—especially in cloud or shared environments. Update your systems, and stay safe!


*Exclusively written and explained in clear language by AI for your understanding.*

Timeline

Published on: 12/13/2023 09:15:33 UTC