CVE-2022-24959: Memory Leak in yam_siocdevprivate in Linux Kernel Explored

A newly discovered security vulnerability, CVE-2022-24959, has been identified in the Linux kernel versions before 5.16.5. This issue consists of a memory leak found in the yam_siocdevprivate function, located in the drivers/net/hamradio/yam.c file. This post will walk through the vulnerability details, cover the relevant code snippets, and provide links to original references for further reading.

Description and Exploit Details

The vulnerability specifically targets the yam_siocdevprivate function within the yam.c file, which is part of the Linux kernel's support for ham radio devices. A memory leak occurs due to improper handling of allocated memory, potentially allowing attackers to cause a denial of service (DoS) by exhausting the system's memory.

The code snippet below demonstrates the problematic section in the yam_siocdevprivate function

static int yam_siocdevprivate(struct net_device *dev, struct ifreq *ifr, int cmd)
{
    struct yam_private *yp = netdev_priv(dev);
    struct yamdrv_ioctl iy;

    if (copy_from_user(&iy, ifr->ifr_data, sizeof(iy)))
        return -EFAULT;

    switch (iy.cmd) {
    case SIOCYAMGCFG:{
            ...
            break;
        }

    case SIOCYAMSCFG:{
            struct yamdrv_ioctl iy2;

            if (copy_from_user(&iy2, ifr->ifr_data, sizeof(iy2)))
                return -EFAULT;
            ...
            break;
        }

    default:
        return -ENOIOCTLCMD;
    }
    return ;
}

The memory leak occurs due to the absence of proper memory deallocation before returning from the function. The ifr->ifr_data lacks proper handling, and if a user triggers an error condition via incorrect input, the allocated memory will not be freed, leading to resource exhaustion on the system.

To patch this vulnerability, the kernel developers should implement proper memory deallocation in the error handling paths. For instance, they could add the necessary deallocation call before returning from the function with an error code.

It's important to note that successful exploitation of this vulnerability requires specific conditions, and it might not be easily exploitable in real-world situations. Nonetheless, it should be addressed to eliminate any potential risks.

Original References and Further Reading

1. CVE Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24959
2. NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2022-24959
3. Linux Kernel Patch: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/drivers/net/hamradio/yam.c?id=ece2f084b961c936c4cd45448f770b204a188f11

Conclusion

CVE-2022-24959 is a memory leak vulnerability in the Linux kernel that affects the ham radio yam.c driver file. Although this issue may not present a high risk, it's essential to apply the relevant patch as soon as it becomes available to prevent potential system corruption and stability issues.

To stay protected from this vulnerability and others like it, always ensure you're using the latest version of the Linux kernel and stay informed about new security updates available for your specific distribution.

Timeline

Published on: 02/11/2022 06:15:00 UTC
Last modified on: 05/11/2022 14:44:00 UTC