Linux Kernel vulnerabilities often fly under the radar, yet they can have devastating consequences, especially when they involve memory management bugs like use-after-free or double free. One such bug, tracked as CVE-2022-34494, affects the rpmsg_virtio_add_ctrl_dev function in the Linux kernel before version 5.18.4. This post takes a deep dive into this CVE: how the bug works, how it can be exploited, and what you need to know to protect your systems.
What is CVE-2022-34494?
CVE-2022-34494 is a double free vulnerability discovered in the rpmsg_virtio_add_ctrl_dev function, found in the file drivers/rpmsg/virtio_rpmsg_bus.c. The bug existed in all Linux kernels prior to 5.18.4.
When the kernel code tries to clean up after an error condition during device creation, it frees the same memory twice. This may lead to system crashes, privilege escalation, or arbitrary code execution, depending on how the freed memory is reused.
> Original advisory: NVD - CVE-2022-34494
> Upstream Fix Commit: kernel.org commit
The vulnerable code is in the function rpmsg_virtio_add_ctrl_dev
static int rpmsg_virtio_add_ctrl_dev(...)
{
struct device *dev;
ctrl = devm_kzalloc(...); // allocate memory
if (!ctrl)
return -ENOMEM;
dev = ... // create a device
if (device_register(dev)) {
devm_kfree(ctrl); // first free
put_device(dev); // triggers device release, leading
// to devm_kfree(ctrl) again -- second free
return <error>;
}
...
}
Then calls put_device(dev), which tries to clean up again, freeing ctrl a second time
This double free can corrupt memory, which is especially dangerous in the kernel where memory is shared and protected.
Exploiting Double Free
1. Trigger the Error: Attackers need to make device_register(dev) fail. This often happens by simulating or causing resource exhaustion or invalid configurations.
2. Double Free Occurs: The kernel frees the same pointer twice. Because it’s a kernel bug, the attacker could overwrite kernel memory allocations.
3. Arbitrary Code Execution: If the attacker can get controlled data into the place freed, they might be able to hijack execution — often leading to root (full system) compromise.
Preconditions:
- Attacker needs to trigger an error condition in the device registration path for a remote processor or embedded context.
- Exploitation might require local user access or running on a crafted virtual machine/guest.
Proof of Concept (PoC)
Here's a conceptual example of how such a bug would be triggered. (Note: A full, working exploit is kernel and device/context-specific.)
// This pseudo code will not work as-is, but gives the flow:
int fd = open("/dev/rpmsg_virtio", O_RDWR);
if (fd > ) {
// Send command/input that causes device registration to fail
ioctl(fd, RPMSG_IOCTL_SOMETHING_INVALID, ...);
// Observe system log / dmesg for potential double free or crash
}
Detection:
Reported by: Yanfei Zhang and P J P (Red Hat)
- Fix committed: linux.git commit 8b1a2a614a2e
Recommended Actions
- Upgrade immediately to Linux kernel 5.18.4 or later, or backport the commit fix to your kernel tree.
- If you use Linux in an embedded/IoT/virtualized setting, check if the rpmsg_virtio module is present, as not all setups are affected.
Relevant links
- Red Hat Bugzilla - CVE-2022-34494
- NVD Entry
- Linux Kernel Commit
Conclusion
CVE-2022-34494 is a good reminder of how subtle memory management bugs can creep into the kernel and remain hidden until someone triggers an error path. Left unpatched, this flaw could let attackers crash your system or even gain kernel-level access.
If you’re a Linux admin, even if you don’t use the affected module, upgrade your kernels. Security is only as strong as your weakest link.
Timeline
Published on: 06/26/2022 16:15:00 UTC
Last modified on: 07/08/2022 03:59:00 UTC