A recently discovered vulnerability with the identifier CVE-2022-20141 poses a potential risk to the Android ecosystem. This issue is related to a use-after-free scenario arising from improper locking in the ip_check_mc_rcu function present in igmp.c file of the Android kernel. As per the available information, this vulnerability could potentially lead to local escalation of privilege for an attacker while opening and closing inet sockets. In this post, we will take a closer look at this vulnerability, the specifics of the code in question, and the potential consequences of its exploitation.

Code Snippet

The issue is identified in the ip_check_mc_rcu() function in igmp.c, where improper locking may lead to a use-after-free situation. The simplified code snippet for this function is as follows:

static bool ip_check_mc_rcu(struct in_device *in_dev_rcu,
	const struct net_device *dev,
	const struct in_addr *addr,
	__be32 local)
{
	struct in_device *in_dev;
	bool found = false;

	in_dev = __in_dev_get_rcu(dev);
	if (!in_dev)
		return false;

	[...]

	if (IN_DEV_MULTICAST(in_dev)) {
		struct ip_mc_list *im;
		for_each_mc_rcu(im, in_dev) {
			found = !ipv4_is_zeronet(im->multiaddr) &&
			        (!local ||
						local == im->saddr ||
						im->saddr == addr->s_addr);
			if (found)
				break;
		}
	}

	return found;
}

Vulnerability Details

The ip_check_mc_rcu() function is responsible for handling multicast-related functionality within the Android kernel. Due to improper locking, this function might access memory that has already been freed, leading to a use-after-free vulnerability. It is important to note that this exploit does not require any additional execution privileges and doesn’t need user interaction.

As stated in the code snippet above, the function performs a multicast check handling certain checks such as IN_DEV_MULTICAST, before proceeding to the for_each_mc_rcu(im, in_dev) loop. During this loop, it's possible to access the memory after freeing it due to improper synchronization, potentially leading to local escalation of privilege when opening and closing inet sockets.

References

To understand this vulnerability in its entirety and to examine the original sources, we recommend looking into the following resources:

1. The area of the code where this vulnerability resides - Android Open Source Project repository (igmp.c).
2. The Upstream kernel commit with the fix that has been rolled out.

Exploit Details

Currently, there is no detailed public exploit for this vulnerability. However, it is a serious concern that needs to be addressed given the potential for local privilege escalation when combined with other vulnerabilities.

Mitigation

To address this vulnerability, it's essential for Android device manufacturers to update their kernel and apply patches provided by Android Open Source Project (AOSP) to properly lock and synchronize the memory usage in ip_check_mc_rcu function in igmp.c file.

Conclusion

The CVE-2022-20141 vulnerability demonstrates the importance of proper synchronization and locking mechanisms when writing code for operating systems such as the Android kernel. Mitigating this issue by applying the necessary patches will protect users from potential escalations of privilege that could lead to unintended access and control over a device. In the ever-evolving landscape of cybersecurity, it's crucial for developers and manufacturers to remain vigilant and ensure that their code is up to date and secure.

Timeline

Published on: 06/15/2022 14:15:00 UTC
Last modified on: 06/23/2022 20:21:00 UTC