A recent security issue with a reference to CVE-2022-34494 has been discovered in the Linux kernel before version 5.18.4. This vulnerability affects the rpmsg_virtio_add_ctrl_dev function in the drivers/rpmsg/virtio_rpmsg_bus.c file, resulting in a double-free memory corruption. In this blog post, we will discuss the details of this vulnerability, provide code snippets showcasing the affected code, and address the potential exploits. Finally, we will provide links to the original findings and patches.

Vulnerability Details

The Root Cause Analysis (RCA) of the double-free vulnerability lies in the rpmsg_virtio_add_ctrl_dev function in the drivers/rpmsg/virtio_rpmsg_bus.c. Double-free occurs when the same memory is freed twice, causing potential memory corruption and potentially leading to code execution by attackers. This issue primarily affects the error-handling paths utilized within the function.

Let's take a look at the affected code in the rpmsg_virtio_add_ctrl_dev function

static int rpmsg_virtio_add_ctrl_dev(struct rpmsg_virtio_device *vdev, int idx)
{
    ...
    char rpmsg_chr_name[RPMSG_NAME_SIZE];
    struct device *v_ctrl;
    int err;

    v_ctrl = kzalloc(sizeof(*v_ctrl), GFP_KERNEL);
    if (!v_ctrl)
        return -ENOMEM;

    device_initialize(v_ctrl);
    mutex_lock(&rpmsg_ctrl_lock);
    snprintf(rpmsg_chr_name, sizeof(rpmsg_chr_name), "rpmsg%d", src);

    err = dev_set_name(v_ctrl, "%s.%s", rpmsg_chr_name, vdev->dev.parent->init_name);
    if (err)
        goto error;

    err = device_add(v_ctrl);
    if (err) {
error:
        put_device(v_ctrl);
        kfree(v_ctrl);
        mutex_unlock(&rpmsg_ctrl_lock);
        return err;
    }
    ...
}

As shown in the code snippet above, the rpmsg_virtio_add_ctrl_dev function allocates memory for the v_ctrl variable using kzalloc, then initializes and adds the device to the system. However, an issue occurs in the error-handling paths - when an error is encountered while setting the device's name or while adding the device, the function frees the previously allocated memory and unlocks the mutex. The memory is then freed again using the put_device function, resulting in a double-free operation.

Exploit Details

An attacker can exploit this vulnerability by triggering the double-free issue in the specific error-handling code path, potentially leading to memory corruption and code execution. Successful exploitation could allow a malicious actor to execute arbitrary code with kernel-level privileges on the affected system, leading to a significant compromise of system security.

Mitigation and Patch Information

The Linux kernel development team acknowledged the vulnerability and released a patch for the Linux kernel before version 5.18.4 addressing this issue. The patch modifies the error-handling code path to ensure that the memory is only freed once, preventing the double-free from occurring. Users affected by this vulnerability should apply the patch as soon as possible to mitigate the risk.

1. Linux Kernel Git Repository (v5.18.4): https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/rpmsg/virtio_rpmsg_bus.c?h=v5.18.4
2. CVE-2022-34494: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34494

Conclusion

CVE-2022-34494 is a critical vulnerability in the Linux kernel, involving a double-free issue in the rpmsg_virtio_add_ctrl_dev function. This vulnerability could lead to potential memory corruption and arbitrary code execution with kernel-level privileges. Users of affected Linux kernel versions should apply the available patch promptly to protect their systems from exploitation.

Timeline

Published on: 06/26/2022 16:15:00 UTC
Last modified on: 07/08/2022 03:59:00 UTC