CVE CyberSecurity Database News

CVE-2022-3707 - Double-Free Vulnerability in Linux Kernel’s Intel GVT-g Graphics Driver — Deep Dive and Exploit Walkthrough

Poster -

In 2022, security researchers discovered a severe vulnerability within the Intel GVT-g graphics virtualization driver in the Linux kernel. Registered as CVE-2022-3707, this double-free memory flaw can cause local denial of service by crashing the whole system. In this post, we’ll break down how this bug appears, walk through the relevant kernel code, and show how a crafted program could trigger the crash.

What is CVE-2022-3707?

CVE-2022-3707 impacts the Intel GVT-g (Graphics Virtualization Technology) driver in the Linux kernel. GVT-g allows multiple virtual machines to share a physical graphics card. During certain resource-intensive operations, the kernel’s memory management code can call the free() function twice on the same memory location – a classic double-free vulnerability.

When exploited, this bug doesn’t give full control over the system, but it does allow a user with local access to crash the machine, causing a denial of service (DoS).

Where’s the Bug? (A Simple Walkthrough)

The bug lives in the function intel_gvt_dma_map_guest_page defined in the Intel GVT-g driver. Under heavy load, the function calls memory management routines in such a way that a pointer gets freed twice. The kernel’s memory allocator is not built to handle this, so it panics (crashes the system).

Here’s a simplified version of the vulnerable code

int intel_gvt_dma_map_guest_page(struct intel_gvt *gvt, unsigned long gfn, ...)
{
    void *page = NULL;
    int ret;

    page = alloc_page(...);
    if (!page)
        return -ENOMEM;

    ret = do_something_with_page(page);
    if (ret) {
        free_page(page);       // <-- First free
        goto out;
    }
    ...

out:
    free_page(page);           // <-- Second free! Oops!
    return ret;
}

The function tries to allocate a page of memory.

- If anything goes wrong in do_something_with_page, it frees the page and jumps to the out code block.

But in out, it frees the same page *again*!

- Result: The same memory location is released to the kernel’s memory allocator twice — unsafe and potentially disastrous.

*Have an Intel GPU with GVT-g support enabled under Linux.*

2. *Be able to cause enough load or provide crafted arguments that trigger the error path in intel_gvt_dma_map_guest_page.*

Here’s a simple proof-of-concept C code snippet showing how a user might intentionally overload the driver (note: This will crash your machine if unpatched! Don’t run on production systems.):

// exploit_cve_2022_3707.c
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/ioctl.h>

int main() {
    int fd = open("/dev/dri/card", O_RDWR);
    if (fd < ) {
        perror("open");
        return 1;
    }

    // Send crafted ioctl triggering GVT-g allocation/free logic
    for (int i = ; i < 10000; i++) {
        ioctl(fd, SOME_GVTG_IOCTL, NULL); // Replace with real ioctl code
    }

    close(fd);
    printf("Done\n");
    return ;
}


*Note: For demonstration only. Actual ioctl values depend on your kernel version and device nodes.*

On a vulnerable system, the above loop increases the chance of hitting the double-free logic, causing a kernel panic ("Oops").

Impact: Only local users can exploit it. Remote attackers are not directly impacted.

- Severity: Medium (Denial of Service). No evidence exists (so far) that this bug can be reliably used for privilege escalation. However, double-frees can sometimes lead to code execution under the right circumstances, so all users should patch.

Fix and Mitigation

The Linux kernel team patched this by making sure the free_page call in the out block only runs if the page hasn’t already been freed.

Typical patch (pseudo-code)

if (ret) {
    free_page(page);
    page = NULL;
    goto out;
}

// ...
out:
if (page)
    free_page(page);

Check your distribution for fixed kernel versions, or patch manually by updating your intel_gvt_dma_map_guest_page logic.

References

- Red Hat security advisory
- NIST National Vulnerability Database: CVE-2022-3707
- Linux kernel patch discussion

Final Thoughts

While CVE-2022-3707 doesn’t offer “superpowers” for attackers, it’s one of those vulnerabilities that can cause real headaches for anyone running Intel GPU virtualization in Linux. If you use GVT-g, update your kernel as soon as possible and review your virtualization security practices.

If you’re a kernel dev or sysadmin, keep an eye out for double-free bugs like this — they’re simple, yet dangerous. Want to learn more? Dive into the links above, and don’t hesitate to check your systems for vulnerable code!

Timeline

Published on: 03/06/2023 23:15:00 UTC
Last modified on: 05/03/2023 14:15:00 UTC