CVE-2022-48735 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
ALSA: hda: Fix UAF of leds class devs at unbinding
The LED class devices that are created by HD-audio codec drivers are registered via devm_led_classdev_register() and associated with the HD-audio codec device. Unfortunately, it turned out that the devres release doesn't work for this case; namely, since the codec resource release happens before the devm call chain, it triggers a NULL dereference or a UAF for a stale set_brightness_delay callback.
For fixing the bug, this patch changes the LED class device register and unregister in a manual manner without devres, keeping the instances in hda_gen_spec.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 08/20/2024
The vulnerability CVE-2022-48735 represents a use-after-free condition affecting the Linux kernel's Advanced Linux Sound Architecture implementation, specifically within the HD-audio codec driver subsystem. This flaw manifests in the management of LED class devices that are dynamically created and registered by HD-audio codec drivers during system initialization. The issue stems from improper resource management during the device unbinding process, where the kernel's device resource management system fails to properly handle the lifecycle of LED class device instances. The vulnerability is classified as a use-after-free condition under CWE-416, which occurs when a program continues to use a pointer after the memory it points to has been freed, leading to potential system instability or exploitation opportunities.
The technical root cause of this vulnerability lies in the interaction between the device resource management system and the LED class device registration mechanism within the HD-audio subsystem. When HD-audio codec drivers create LED class devices, they utilize the devm_led_classdev_register() function to register these devices with the kernel's device management framework. However, during device unbinding operations, the device resource cleanup process executes before the devm call chain completion, creating a temporal window where the LED class device's callback functions may reference freed memory locations. This specific sequence of events triggers a NULL dereference or use-after-free condition when the stale set_brightness_delay callback attempts to execute against a deallocated data structure, effectively creating a race condition between device resource cleanup and callback execution.
The operational impact of this vulnerability extends beyond simple system instability, potentially enabling malicious actors to exploit the use-after-free condition for privilege escalation or denial-of-service attacks. Attackers could leverage this vulnerability to cause kernel crashes, leading to system hangs or reboots that could disrupt critical audio services on affected systems. The vulnerability affects Linux kernel versions where the HD-audio codec drivers are active, particularly systems utilizing Intel High Definition Audio controllers or compatible hardware that rely on the ALSA subsystem for audio device management. The flaw is particularly concerning because it operates at the kernel level, meaning successful exploitation could provide attackers with elevated privileges or complete system compromise, making it a high-severity issue for enterprise and consumer systems alike.
The mitigation strategy implemented in the patch addresses the core resource management issue by transitioning from automatic device resource management to manual LED class device registration and unregistration processes. This approach involves maintaining LED class device instances directly within the hda_gen_spec structure rather than relying on the devm framework, which eliminates the problematic interaction between device resource cleanup and callback execution. The solution aligns with the ATT&CK framework's mitigation strategies for kernel-level vulnerabilities by addressing the root cause through proper resource lifecycle management. Organizations should prioritize applying the kernel patch that resolves this vulnerability, particularly in environments where audio services are critical or where systems may be exposed to untrusted users. The fix ensures that LED class device cleanup occurs in the proper sequence, preventing the temporal race condition that enabled the use-after-free condition while maintaining the functionality of HD-audio codec drivers and their associated LED indicators.