CVE-2022-2588 - Deep Dive Into a Linux Kernel Vulnerability in cls_route Filter Handling

In July 2022, a serious bug was identified in the Linux kernel’s networking subsystem, specifically within the cls_route traffic control (tc) filter implementation. The vulnerability, tracked as CVE-2022-2588, could allow a local user to trigger a use-after-free (UAF) attack. This bug potentially enables privilege escalation or system crashes, making it a critical issue for both servers and desktops running vulnerable kernel versions.

In this post, we’ll break down what this vulnerability is, why it’s dangerous, provide code snippets, reference the original reports, and discuss the basic exploit scenario—all in simple terms.

Vulnerability in cls_route filter code in the Linux kernel (networking stack).

- When a filter handle has the value , removing an old filter doesn’t happen *before* the memory for it is freed.

The freed memory is still accessible via the hashtable, leading to a classic use-after-free.

This means an attacker can access memory that has already been freed, potentially modifying kernel memory or causing crashes.

Let’s look at an excerpt of the vulnerable kernel code (from net/sched/cls_route.c)

static int route4_change(...)
{
    ...
    n = route4_lookup(tp, handle);
    if (n) {
        hlist_del(&n->hlist); // remove from hashtable
        kfree(n);             // free memory
    }
    ...
}

However, if handle == , the code *does not call* hlist_del(&n->hlist); before freeing

/* <-- bug: handle ==  skips hlist_del --> */
if (handle) {
    hlist_del(&n->hlist);
}
kfree(n);

So, the filter object (n) is freed, but still sits in the hashtable. If something else later looks it up, it could access already-freed memory!

Possibly execute arbitrary code in kernel (root-level) context.

On many Linux systems, ordinary local users have *some* access to tc (traffic control), making it exploitable.

Who Discovered and Reported It?

The bug was reported by Clément Lecigne of Google’s Threat Analysis Group.

- Original patch: commit c5e5cae6f638
- National Vulnerability Database: CVE-2022-2588 entry
- Linux kernel security advisory: LKML post

The Old Object Is Not Unlinked: The dangling pointer remains in kernel’s hash table.

4. Reallocate Memory: The attacker tries to allocate new kernel objects of the same size, potentially controlling their contents.
5. Trigger Kernel Code to Access the Old Object: Kernel looks up the “old” object and operates on attacker-controlled data, possibly leading to privilege escalation or information leaks.

Example Exploit Skeleton (Not a Real Exploit, for Illustration)

Requires root or CAP_NET_ADMIN but *could* be triggered by unprivileged users on poorly configured systems.

# 1. Add a filter with handle 
tc filter add dev eth protocol ip parent 1: prio 1 route handle  ... 

# 2. Replace the filter (triggers the bug)
tc filter replace dev eth protocol ip parent 1: prio 1 route handle  ...

# 3. Meanwhile, allocate/reuse memory (this part is more complex - see *real* exploit toolkits)

A real exploit would try to reclaim the freed memory with attacker-controlled data, but the details go far beyond this post.

How Was It Fixed?

The fix was fairly simple: *always* remove (hlist_del) the filter from the hashtable before freeing it, including if the handle is :

Patch diff:

-    if (handle)
-        hlist_del(&n->hlist);
+    hlist_del(&n->hlist);

Am I Vulnerable? How Do I Fix It?

- Affected versions: Linux kernel v3.9 and up to v5.18 (quick check: if your kernel is from before August 2022, you should *double-check*).
- Upgrade your kernel! Most distributions (Debian, Ubuntu, RHEL, Fedora) have included the fix as of late 2022.
- If you can’t patch, consider disabling unprivileged access to tc or net_cls/net_prio cgroups.

More Information

- Original Patch
- CVE-2022-2588 NVD entry
- Security Focus: CVE-2022-2588
- Proof of Concept from qeedquan (educational purposes)
- LWN Article: "Route filter bug allows kernel code execution"

Final Thoughts

CVE-2022-2588 is a crystal-clear demonstration of how a small oversight (forgetting to remove a pointer from a hashtable before freeing) can lead to serious consequences in a low-level subsystem like Linux networking. Always stay on top of kernel updates, especially when vulnerabilities like this come up.

If you found this breakdown useful, share with your sysadmin friends, and help keep Linux secure!

Timeline

Published on: 01/08/2024 18:15:44 UTC
Last modified on: 01/08/2024 19:05:05 UTC