In September 2022, security researchers discovered a double-free flaw in the Linux kernel NTFS3 filesystem implementation. This vulnerability, tracked as CVE-2022-3238, can lead to a system crash or even local privilege escalation. It specifically affects users who have the NTFS3 subsystem enabled and can trigger remount and umount operations at the same time.
In this post, I’ll explain what double-free means, how it affects the NTFS3 driver in Linux, walk through the exploit potential, and show you where to get more details.
What is a Double-Free Bug?
A double-free happens when the same part of memory is freed twice. In C programming (used by the Linux kernel), freeing unused memory is common, but if you try to free it again, it can cause the system to behave unpredictably, open up security holes, or crash outright.
The NTFS3 Subsystem
The NTFS3 driver was merged into the Linux kernel to allow read and write access to NTFS file systems (the format used by Windows). It is widely used when transferring files between Linux and Windows.
Vulnerability Details
The bug resides in how NTFS3 handles the remount and umount requests. If a user can race—meaning run two things at just the right time—they can trick the system into freeing critical memory twice. This can crash the computer or, in the worst case, let them get admin privileges (root).
Affected Kernel Versions
This bug was discovered in NTFS3 code released with Linux kernel v5.15 and further (when NTFS3 was first included).
Technical Explanation with Code
When you run mount or umount, the kernel processes the filesystem’s cleanup. The bug happens if you manage to call remount while an umount is happening, leading to this memory segment being freed twice.
Here’s a simplified illustration of what’s going wrong (pseudo-code)
static int ntfs3_remount(struct super_block *sb, int *flags, char *data)
{
ntfs_sb_info *sbi = sb->s_fs_info;
// ... do remount stuff ...
if (error) {
// Free sbi
kfree(sbi);
sb->s_fs_info = NULL; // <-- should check if already freed
return -EINVAL;
}
}
Elsewhere, on umount
static void ntfs3_put_super(struct super_block *sb)
{
ntfs_sb_info *sbi = sb->s_fs_info;
kfree(sbi); // <-- double free occurs here if remount also freed it
sb->s_fs_info = NULL;
}
The issue is that two threads can both try to free sbi, leading to a double-free. The kernel devs have since patched this bug by adding proper checks.
How Can Attackers Exploit This?
To exploit this vulnerability, an attacker must have access to the target system (local user). Here’s a simple outline of an attack:
Cause a double-free in the kernel memory.
4. Trigger a system crash (DoS) or attempt to escalate privileges using the corrupted memory structure.
Proof-of-Concept Script (for system crash)
# WARNING: Running this can crash your system!
mount -t ntfs3 /dev/sdX /mnt/test
# In two terminals, run:
while true; do mount -o remount,rw /mnt/test; done
# And in another:
while true; do umount /mnt/test; done
Exploit Potential: Privesc
A double-free can not only crash a system but, in some situations, can be used to overwrite function pointers or kernel data. This could let an attacker execute code as root, if the timing and system conditions are just right. No public exploit for full privilege escalation is known, but the risk is real.
Patch & Mitigation
Patched in: Kernel commit 1cedd89b74e982c2f2a8aece94712b97aea8b827 (12 Sep 2022).
Fix: Developers made sure that the same memory isn’t freed twice, using proper locking and pointer checks.
If you can’t upgrade, consider disabling the NTFS3 driver (blacklist ntfs3 in modprobe.d).
- Only allow trusted users to mount/umount filesystems.
References
- CVE-2022-3238 (NIST NVD Listing)
- Linux Kernel Patch Commit
- NTFS3 Documentation
- Red Hat Security Advisory
Conclusion
CVE-2022-3238 is a serious double-free bug in the Linux NTFS3 driver, a reminder that filesystem code is tricky and can have system-wide effects. If you’re running a Linux system that uses NTFS drives, make sure you’ve patched your kernel to stay secure.
Timeline
Published on: 11/14/2022 21:15:00 UTC
Last modified on: 11/17/2022 20:24:00 UTC