CVE-2022-48626: Patching a Use-After-Free Vulnerability in Linux Kernel's Moxart_Remove Path

In the Linux kernel, a use-after-free vulnerability was discovered in the "moxart" remove path. The Common Vulnerabilities and Exposures (CVE) assigned to this vulnerability is CVE-2022-48826. In this article, we will discuss the details of this vulnerability, the cause, and the resolution provided by the Linux kernel developers.

Vulnerability Background

In the Linux kernel, the Moxart host driver files provide support for the Moxa Art SoC MMC devices. The Moxart SoC has a host controller and a CPU for managing the MultiMediaCard (MMC) communications.

During the removal of the device, a potential use-after-free error was identified in the "moxart_remove()" function, which could lead to the access of the freed memory. This vulnerability could be potentially exploited by an attacker to cause a denial of service (DoS) or execute arbitrary code.

The following code snippet showcases the vulnerability in the "moxart_remove()" function

static int moxart_remove(struct platform_device *pdev)
{
    struct mmc_host *mmc = platform_get_drvdata(pdev);
    struct moxart_host *host = mmc_priv(mmc);
    ...
    mmc_free_host(mmc); // <-- This is where the structure is freed
    ...
    return ;
}

As we can see, the "mmc" structure is freed using the "mmc_free_host()" function. However, the freed structure is still accessed after being freed.

Links to Original References

1. Linux Kernel Git Commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cceb56443a9e65a5f7e33fb7a9f0539bfd5f86d5
2. NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2022-48626

Exploit Details

To exploit this vulnerability, an attacker would require local access to the system and the ability to send specially crafted input data to trigger the use-after-free error in the "moxart_remove()" function. This input data would most likely come from a malicious device driver. Once triggered, the attacker could potentially use this bug to execute arbitrary code or cause a denial of service, which could result in crashing the kernel or freezing the system.

Resolution

The developers of the Linux kernel resolved this use-after-free vulnerability by saving the base register of the device and using it instead of the pointer dereference. The following is the new code snippet that fixes the vulnerability:

// Save the base address before freeing the structure
void __iomem *base = host->base;

mmc_free_host(mmc);

// Use the saved base address instead of the freed structure
free_irq(platform_get_irq(pdev, ), base);

Conclusion

CVE-2022-48626, a use-after-free vulnerability in the "moxart" remove path of the Linux kernel has been successfully resolved by the kernel developers. By saving the base register of the device and using it instead of the freed pointer, they effectively eliminated the potential risk that could arise from accessing a freed memory structure.

Timeline

Published on: 02/26/2024 16:27:45 UTC
Last modified on: 04/17/2024 19:28:53 UTC