CVE-2022-33981: Exploring the Dangerous Use-After-Free Flaw in Linux Kernel's Floppy Driver
In recent news, the Linux kernel's floppy disk driver has been found to have a dangerous vulnerability, CVE-2022-33981, that could potentially cause a denial of service due to a use-after-free flaw. In this post, we'll dive deeper into this vulnerability, discuss its impact, and explore possible mitigation techniques.
Affected Software
The vulnerability affects the Linux kernel before 5.17.6 in the drivers/block/floppy.c code. You can find the official Linux kernel repository at the following link:
https://github.com/torvalds/linux
Vulnerability Details
The issue revolves around a use-after-free flaw specifically within the raw_cmd_ioctl function of the Linux kernel's floppy disk driver. This function is responsible for handling raw commands sent to the disk driver, including a few cases where the driver deallocates memory for raw_cmd.
The vulnerability is triggered by a concurrency issue in how the function deals with the deallocation of raw_cmd. The function uses kfree() to deallocate memory pointed to by raw_cmd, but later in the code, the function pointer fdc_queue is used, leading to the use-after-free flaw.
Here's a code snippet showcasing the vulnerability in the raw_cmd_ioctl function
static int raw_cmd_ioctl(struct floppy_struct *floppy,
struct format_descriptions **raw_cmd)
{
int ret;
...
ret = wait_event_interruptible(fdc->raw_wait,
!fdc->raw_cmd || fdc->reset);
...
if (!ret && !fdc->raw_cmd) {
/* raw_cmd copied to driver structure */
ret = -ENOMEM;
fdc->raw_cmd = kmalloc(struct_size(raw_cmd2, rate, 1),
GFP_KERNEL);
if (fdc->raw_cmd) {
ret = ;
...
}
}
...
fdc_queue(fdc);
kfree(raw_cmd);
...
return ret;
}
Exploitation
An attacker with local user access can leverage this vulnerability to crash the Linux kernel, causing a denial of service. The vulnerability can be exploited by issuing specific raw commands, leading to multiple threads accessing the raw_cmd after it has been deallocated.
Mitigation
To remediate this vulnerability, it is highly recommended to upgrade to Linux kernel version 5.17.6 or later, as this issue has been fixed. The fix can be found in the following commit:
https://github.com/torvalds/linux/commit/99cad0687a3ec0893e2c8f6783489e4f252fdeca
For those who cannot immediately upgrade to the latest kernel version, a temporary solution is to disable or block access to the affected floppy disk driver, reducing the attack surface.
Conclusion
The discovery of the CVE-2022-33981 vulnerability in the Linux kernel's floppy disk driver highlights the importance of diligent patch management and security analysis. It is crucial for users and administrators to stay informed of such vulnerabilities and apply patches as soon as possible to avoid potential malicious exploitation.
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33981
- https://github.com/torvalds/linux/blob/master/drivers/block/floppy.c
- https://github.com/torvalds/linux/commit/99cad0687a3ec0893e2c8f6783489e4f252fdeca
- https://lore.kernel.org/linux-block/20220316131155.463344-1-llua@gentoo.org/
Timeline
Published on: 06/18/2022 16:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC