CVE-2022-29156 In the Linux kernel before 5.16.12, a double free related to rtrs_clt_dev_release occurs.

This could be exploited when handling a specially crafted Netlink message.
In the example below, rtmsg_rcv() is used to receive Netlink messages from an InfiniBand device. If an attacker controls the rtmsg_rcv() Netlink message, they can send a specially crafted message that will cause a double free to occur. { netlink_sendmsg: returner = { struct sockaddr *raddr; int s; int rc; if (nlmsg_len  sizeof(*rc)) return; nlmsg_len = nlmsg_len - sizeof(*rc); rcu_read_lock(); s = nlmsg_data(nlmsg); nlmsg_data = nlmsg_data(nlmsg)-&rc->data; nlmsg_len = nlmsg_len - sizeof(*rc); rcu_read_unlock(); rc = nlmsg_rcv(nlmsg, nlmsg_len); nlmsg_data = nlmsg_data(nlmsg); nlmsg_len = nlmsg_len - sizeof(*rc); } --- rtmsg_rcv: returner = { struct sockaddr *raddr; int s; int rc; if (rtmsg_len  sizeof(*rc)) return; nlmsg_len = nlmsg_len - sizeof(*rc); rcu_read_lock(); s =

If an attacker can control the rtmsg_rcv Netlink message, they can send a specially crafted message

Pre-Requisites:

- The function rtmsg_rcv() is used to receive Netlink messages from an InfiniBand device
- An attacker controls the rtmsg_rcv() Netlink message, they can send a specially crafted message that will cause a double free to occur.
- Pre-Requisites:
1) The function rtmsg_rcv() is used to receive Netlink messages from an InfiniBand device. 2) An attacker controls the rtmsg_rcv() Netlink message, they can send a specially crafted message that will cause a double free to occur.
3) You are using the RTAI kernel in your system or you have access to kernel source code.

Step 1: Create an invalid Netlink message to trigger a crash

The first step is to create an invalid Netlink message. In the example below, &mlink is not NULL, which is not allowed within a Netlink message of type NETLINK_MSG_INVALID. { if (!nlmsg) return; nlmsg = netlink_alloc(MLREG); s = nlmsg->nlh; nlmsg->nlh = nlmsg; nlmsg->type = NETLINK_MSG_TYPE_INVALID; nlmsg->nlmsg_len = 0; } --- mlink: returner = { struct sockaddr *raddr; int s; int rc; if (mlink) return; mlink = netlink_alloc(MLREG); s = mlink->mlh; mlink->mlh = mlink; mlink->type = NETLINK_MSG_TYPE_INVALID; }

Timeline

Published on: 04/13/2022 07:15:00 UTC
Last modified on: 06/02/2022 20:15:00 UTC

References

• https://github.com/torvalds/linux/commit/8700af2cc18c919b2a83e74e0479038fd113c15d
• https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.16.12
• https://security.netapp.com/advisory/ntap-20220602-0002/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-29156