A security vulnerability has been discovered in the Linux kernel that can potentially lead to a double free situation in the usb_8dev_start_xmit() function. This post will cover the details about the vulnerability (CVE-2022-28388), the function at risk, some code snippets related to it, and the potential exploits that can make use of this weakness. We will also provide links to the original references to provide more insight into this issue.
Vulnerability (CVE-2022-28388) Details
The function usb_8dev_start_xmit, located in drivers/net/can/usb/usb_8dev.c in Linux kernel versions up to and including 5.17.1, is responsible for transmitting data over USB for 8 devices. However, it has been reported that there is a double-free vulnerability within this function which can result in undefined behavior, memory corruption, and subsequent crashes or other malicious attacks.
The Linux kernel is the heart of the operating system, and any vulnerability within this kernel may lead to serious consequences, affecting the stability and security of the entire system. The kernel version mentioned (5.17.1) covers a wide range of Linux distributions, and thus a large number of systems are potentially at risk.
Code Snippet
The double-free vulnerability is present in the following section of the function usb_8dev_start_xmit in usb_8dev.c:
static netdev_tx_t usb_8dev_start_xmit(struct sk_buff *skb,
struct net_device *netdev) {
struct usb_8dev_private *priv = netdev_priv(netdev);
/* some code omitted for brevity */
usb_fill_bulk_urb(urb, priv->udev,
usb_sndbulkpipe(priv->udev, priv->bulk_out_address),
skb->data, can_dlc2len(skb->can_dlc),
usb_8dev_write_bulk_callback, ctx);
/* some code omitted for brevity */
atomic_inc(&priv->active_tx_urbs);
ret = usb_submit_urb(urb, GFP_ATOMIC);
if (ret) {
can_free_echo_skb(netdev, ctx->echo_index);
kfree_skb(skb);
usb_free_urb(urb);
netdev_err(netdev, "Error %d sending frame\n", ret);
}
/* some code omitted for brevity */
return NETDEV_TX_OK;
}
The vulnerability lies in the error handling block of this function. In the event of an error, the function frees the kernel memory both for the socket buffer (skb) and the USB URB (urb) using kfree_skb(skb) and usb_free_urb(urb) calls, respectively. However, this is problematic, as it results in freeing the memory twice, a double free.
Exploit details
An attacker could potentially exploit this vulnerability by specifically crafting a malicious USB packet that would result in an error in the usb_submit_urb() function. This would, in turn, cause both the skb and urb to be freed twice, leading to a double-free situation. An attacker could further abuse this situation to cause memory corruption, crash the system, or even compromise its security and execute arbitrary code with kernel-level privileges.
Original references
- Linux kernel source code
- CVE-2022-28388 in the CVE database
In conclusion, the double-free vulnerability in the Linux kernel's usb_8dev_start_xmit function is a serious issue that requires attention. Linux distribution developers should work promptly to integrate security patches addressing this issue into their kernel versions. Users should make sure to stay up-to-date with these patches to maintain system security and stability.
Timeline
Published on: 04/03/2022 21:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC