CVE-2022-44033 - Linux Kernel PCMCIA Race Condition and Use-After-Free Vulnerability in drivers/char/pcmcia/cm404_cs.c

A vulnerability has been discovered in the Linux kernel through version 6..6, specifically in the drivers/char/pcmcia/cm404_cs.c file. This vulnerability is classified as a race condition that may lead to a use-after-free vulnerability if a physically proximate attacker removes a PCMCIA (Personal Computer Memory Card International Association) device while the open() function is being called. This race condition occurs between the cm404_open() and reader_detach() functions within the driver.

Impact

Successful exploitation of the vulnerability could allow a local, physically proximate attacker to execute arbitrary code on the affected system, potentially gaining unauthorized access to sensitive information or compromising the integrity of the system. Additionally, the attacker might cause the system to crash, resulting in a denial of service (DoS).

Analysis

The race condition occurs in the cm404_open() function, which prepares the PCMCIA device to perform a specific operation, and the reader_detach() function, which is responsible for properly detaching the device after the operation has completed.

The vulnerable code snippet in the cm404_open() function is as follows

static int cm404_open(struct inode *inode, struct file *file)
{
  // ... other code ...

  if (dev->removed == ) {
    dev->bufsize = IFD_BUF_SIZE;
    file->private_data = dev;
  } else {
    return -ENODEV;
  }
  
  put_dev(dev);

  // ... more code ...
}

In the reader_detach() function, the code snippet is

static void reader_detach(struct pcmcia_device *link)
{
  cm404_dev_t *dev = link->priv;
  
  if (link->open) {
    dev->removed = 1;
    return;
  }
  
  // ... other code ...
}

The race condition occurs when the cm404_open() function is called while the PCMCIA device is being physically removed by an attacker. The PCMCIA device is not safely detached by the reader_detach() function, and the device's memory could be freed and reallocated before the cm404_open() function finishes executing. This results in a use-after-free vulnerability, which can potentially lead to arbitrary code execution or system crashes.

References

- CVE Details: https://www.cvedetails.com/cve/CVE-2022-44033/
- Linux Kernel Source: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/char/pcmcia/cm404_cs.c

Remediation

To mitigate the vulnerability, users should apply any available patches, security updates, or vendor-recommended solutions as soon as possible, as these may address or remediate the vulnerability. Additionally, users should monitor advisory notices and security releases from the Linux kernel maintainers and their respective Linux distribution providers for the latest information on this vulnerability.

Workaround

As a temporary measure until a patch or update becomes available, users may consider implementing physical access controls to prevent unauthorized removal of the affected PCMCIA devices while the system is operating.

Timeline

Published on: 10/30/2022 01:15:00 UTC
Last modified on: 11/01/2022 13:58:00 UTC