CVE-2022-23035 - Improper Handling of IRQs Passed Through to x86 HVM Guests Can Result in Use-After-Free Vulnerability

A newly identified vulnerability, CVE-2022-23035, highlights the improper handling of IRQs (Interrupt Requests) passed through to x86 HVM (Hardware-assisted Virtual Machine) guests. Insufficient cleanup of these IRQs has been discovered and can result in use-after-free and NULL pointer dereferences, providing potential attack vectors for malicious parties. The improper management of IRQs associated with physical devices exposed to x86 HVM guests can be particularly problematic when multiple interrupts are involved. This article will discuss the details of the vulnerability and provide references to original sources.

Exploit Details

The vulnerability emerges when IRQs associated with physical devices are exposed to x86 HVM guests. As the guest uses the device, the system must clean up after the guest's use to prevent any lingering interrupts from causing potential issues. However, this cleanup process is flawed in handling multiple interrupts.

Consider the following code snippet, showcasing the cleanup process

void cleanup_irqs(void)
{
    int i;
    irq_desc_t *desc;
    for (i = ; i < NR_IRQS; i++) {
        desc = &irq_desc[i];
        if (desc->in_use) {
            free_irq(i);
            // ...
        }
    }
}

In this example, cleanup_irqs() iterates through all IRQs, checking if they are in use and calling free_irq() to clean up. However, this process can lead to incorrect handling when there are multiple interrupts at work.

Suppose an interrupt is not yet quiescent when the cleanup is invoked. In this case, the cleanup attempt may be scheduled to be retried. When multiple interrupts are involved, the scheduling of this retry may be skipped erroneously. At the same time, pointers can get cleared (leading to dereference of NULL) and freed (resulting in use-after-free), all while other code assumes these pointers remain valid.

Original References

- Xen Advisory: XSA-380
- Details on the vulnerability: CVE-2022-23035

Mitigation

To mitigate this vulnerability, software patches have been released to correct the IRQ cleanup process. Applying these patches should be done promptly to reduce potential attack vectors for malicious parties.

Conclusion

CVE-2022-23035 highlights the importance of proper resource handling and cleanup, especially in contexts with virtual machines. Due to the subtle nature of insufficient IRQ cleanup, this vulnerability may have flown under the radar, but it is vital to apply the necessary patches and remain vigilant when managing resources. This issue underscores the need for continuous testing and code reviews for critical system components, as even minor oversights can lead to significant security vulnerabilities.

Timeline

Published on: 01/25/2022 14:15:00 UTC
Last modified on: 08/19/2022 09:59:00 UTC