CVE-2022-33981: Exploring the Dangerous Use-After-Free Flaw in Linux Kernel's Floppy Driver

In recent news, the Linux kernel's floppy disk driver has been found to have a dangerous vulnerability, CVE-2022-33981, that could potentially cause a denial of service due to a use-after-free flaw. In this post, we'll dive deeper into this vulnerability, discuss its impact, and explore possible mitigation techniques.

Affected Software

The vulnerability affects the Linux kernel before 5.17.6 in the drivers/block/floppy.c code. You can find the official Linux kernel repository at the following link:
https://github.com/torvalds/linux

Vulnerability Details

The issue revolves around a use-after-free flaw specifically within the raw_cmd_ioctl function of the Linux kernel's floppy disk driver. This function is responsible for handling raw commands sent to the disk driver, including a few cases where the driver deallocates memory for raw_cmd.

The vulnerability is triggered by a concurrency issue in how the function deals with the deallocation of raw_cmd. The function uses kfree() to deallocate memory pointed to by raw_cmd, but later in the code, the function pointer fdc_queue is used, leading to the use-after-free flaw.

Here's a code snippet showcasing the vulnerability in the raw_cmd_ioctl function

static int raw_cmd_ioctl(struct floppy_struct *floppy,
                        struct format_descriptions **raw_cmd)
{
    int ret;

    ...
    ret = wait_event_interruptible(fdc->raw_wait,
                                   !fdc->raw_cmd || fdc->reset);
    ...
    if (!ret && !fdc->raw_cmd) {
        /* raw_cmd copied to driver structure */
        ret = -ENOMEM; 
        fdc->raw_cmd = kmalloc(struct_size(raw_cmd2, rate, 1),
                                          GFP_KERNEL);
        if (fdc->raw_cmd) {
            ret = ;
            ...
        }
    }
    ...
    fdc_queue(fdc);
    kfree(raw_cmd);
    ...
    return ret;
}

Exploitation

An attacker with local user access can leverage this vulnerability to crash the Linux kernel, causing a denial of service. The vulnerability can be exploited by issuing specific raw commands, leading to multiple threads accessing the raw_cmd after it has been deallocated.

Mitigation

To remediate this vulnerability, it is highly recommended to upgrade to Linux kernel version 5.17.6 or later, as this issue has been fixed. The fix can be found in the following commit:
https://github.com/torvalds/linux/commit/99cad0687a3ec0893e2c8f6783489e4f252fdeca

For those who cannot immediately upgrade to the latest kernel version, a temporary solution is to disable or block access to the affected floppy disk driver, reducing the attack surface.

Conclusion

The discovery of the CVE-2022-33981 vulnerability in the Linux kernel's floppy disk driver highlights the importance of diligent patch management and security analysis. It is crucial for users and administrators to stay informed of such vulnerabilities and apply patches as soon as possible to avoid potential malicious exploitation.

References

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33981
- https://github.com/torvalds/linux/blob/master/drivers/block/floppy.c
- https://github.com/torvalds/linux/commit/99cad0687a3ec0893e2c8f6783489e4f252fdeca
- https://lore.kernel.org/linux-block/20220316131155.463344-1-llua@gentoo.org/

Timeline

Published on: 06/18/2022 16:15:00 UTC
Last modified on: 07/04/2022 11:15:00 UTC