A new vulnerability, CVE-2022-2588, has recently been discovered in the Linux kernel which affects the cls_route (classifier-route) filter implementation. If left unaddressed, this vulnerability can lead to possible remote exploits, memory leaks, and denial of services (DoS) attacks. In this post, we'll dive into the details of this vulnerability, provide code snippets to illustrate the problem, and link to the original references for further information.

Exploit Details

The vulnerability was introduced due to an oversight in the cls_route filter implementation where an older filter would not be removed from the hashtable before it was freed if its handle had the value . As a result, this vulnerability could potentially be exploited by an attacker who could remotely tamper with a cls_route filter, triggering a remote denial of service attack or leaking sensitive information.

Code Snippet Illustrating the Problem

Here's an example of the problematic code found in the Linux kernel's cls_route implementation (simplified for the sake of clarity):

static int route4_delete_filter(struct tcf_proto *tp, unsigned long handle, ...)
{
  struct route4_filter *f, **fp;
  ...
  fp = &route4_head_chain(tp, handle);
  
  for (; (f = *fp) != NULL; fp = &f->next) {
    if (handle && f->handle != handle)
      continue;
    *fp = f->next;
    
    if (handle)
      tcf_unbind_filter(tp, &f->res);

    tcf_destroy(&f->res);
    ...
  }
}

The cls_route filter attempts to access the route4_head_chain to find a filter with the same handle as the one passed to the function. If a filter with the required handle is found, it is removed from the hashtable. However, if the handle is , it would not unbind the previous filter before destroying it.

To fix the vulnerability, the following change has been applied in the Linux kernel, adding an explicit check for the handle value:

static int route4_delete_filter(struct tcf_proto *tp, unsigned long handle, ...)
{
  struct route4_filter *f, **fp;
  ...
  fp = &route4_head_chain(tp, handle);
  
  for (; (f = *fp) != NULL; fp = &f->next) {
    if (handle && f->handle != handle)
      continue;
    *fp = f->next;
    
    // Adding an explicit check for handle value  to fix the vulnerability
    if (handle || f->handle == )
      tcf_unbind_filter(tp, &f->res);

    tcf_destroy(&f->res);
    ...
  }
}

Original References

The vulnerability was first identified in the Linux kernel and given the ID CVE-2022-2588. You can find the official CVE report here: CVE-2022-2588

Additionally, the Linux kernel security has details on the vulnerability in their security advisory, which can be viewed here: Linux Kernel Security Advisory

Conclusion

In summary, CVE-2022-2588 is a serious vulnerability that affects users of the Linux kernel's cls_route filter functionality. The vulnerability's exploitation could lead to remote denial of service attacks, memory leaks, or exposure of sensitive information. It is critical for users to update their kernel version to ensure that they are not affected by this vulnerability. By understanding the details and origin of this vulnerability, users and developers can better prepare themselves against future attacks and ensure that their systems remain secure.

Timeline

Published on: 01/08/2024 18:15:44 UTC
Last modified on: 01/08/2024 19:05:05 UTC