CVE-2022-48912 in Linuxinfo

Summary

by MITRE • 08/22/2024

In the Linux kernel, the following vulnerability has been resolved:

netfilter: fix use-after-free in __nf_register_net_hook()

We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already.

BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline]
BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 Read of size 2 at addr ffff88801c1a8000 by task syz-executor237/4430

CPU: 1 PID: 4430 Comm: syz-executor237 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline]
hooks_validate net/netfilter/core.c:171 [inline]
__nf_register_net_hook+0x77a/0x820 net/netfilter/core.c:438 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:571 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:587 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1218 synproxy_tg6_check+0x30d/0x560 net/ipv6/netfilter/ip6t_SYNPROXY.c:81 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1038 check_target net/ipv6/netfilter/ip6_tables.c:530 [inline]
find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:573 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:735 do_replace net/ipv6/netfilter/ip6_tables.c:1153 [inline]
do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1639 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1024 rawv6_setsockopt+0xd3/0x6a0 net/ipv6/raw.c:1084 __sys_setsockopt+0x2db/0x610 net/socket.c:2180 __do_sys_setsockopt net/socket.c:2191 [inline]
__se_sys_setsockopt net/socket.c:2188 [inline]
__x64_sys_setsockopt+0xba/0x150 net/socket.c:2188 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f65a1ace7d9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 71 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f65a1a7f308 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 00007f65a1ace7d9 RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003 RBP: 00007f65a1b574c8 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00007f65a1b55130 R13: 00007f65a1b574c0 R14: 00007f65a1b24090 R15: 0000000000022000

The buggy address belongs to the page: page:ffffea0000706a00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1c1a8 flags: 0xfff00000000000(node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000000000 ffffea0001c1b108 ffffea000046dd08 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as freed page last allocated via order 2, migratetype Unmovable, gfp_mask 0x52dc0(GFP_KERNEL|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_ZERO), pid 4430, ts 1061781545818, free_ts 1061791488993 prep_new_page mm/page_alloc.c:2434 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 __alloc_pages_node include/linux/gfp.h:572 [inline]
alloc_pages_node include/linux/gfp.h:595 [inline]
kmalloc_large_node+0x62/0x130 mm/slub.c:4438 __kmalloc_node+0x35a/0x4a0 mm/slub. ---truncated---

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 09/28/2024

The vulnerability described in CVE-2022-48912 is a use-after-free condition affecting the Linux kernel's netfilter subsystem, specifically within the `__nf_register_net_hook()` function. This flaw occurs when the kernel attempts to dereference a pointer to network hook structures after releasing the `nf_hook_mutex` lock, which allows concurrent threads to potentially free the memory containing these structures. The issue manifests as a kernel address sanitizer (KASAN) detection, indicating an invalid memory access at a specific address in the netfilter core module. The vulnerability is particularly concerning because it can lead to system instability or potential privilege escalation if exploited by a malicious actor with kernel-level access.

The technical root cause lies in improper synchronization within the netfilter hook registration process. When `__nf_register_net_hook()` executes, it acquires the `nf_hook_mutex` to protect shared data structures during hook registration. However, after releasing this mutex, the function continues to reference memory that may have been freed by another thread, creating a race condition that allows for use-after-free scenarios. This condition is particularly dangerous because the netfilter subsystem is fundamental to packet filtering and network traffic control in Linux systems. The KASAN stack trace shows the problematic call path leading through `nf_hook_entries_get_hook_ops`, `hooks_validate`, and ultimately `__nf_register_net_hook`, indicating that the memory corruption occurs during validation of hook operations. According to CWE-416, this represents a classic use-after-free vulnerability where memory is accessed after it has been freed.

The operational impact of this vulnerability extends beyond simple system crashes, as it can potentially allow for arbitrary code execution or privilege escalation within the kernel context. An attacker who can trigger the specific sequence of operations leading to this race condition might be able to manipulate kernel memory, leading to denial of service or more severe compromise of the system. The vulnerability affects all Linux kernel versions that include the problematic netfilter implementation, particularly those with kernel versions 5.17 and later where the affected code paths were present. This issue is especially relevant in environments where netfilter is heavily used for firewalling, NAT, or traffic shaping operations. The vulnerability aligns with ATT&CK technique T1068, which covers "Exploitation for Privilege Escalation" and specifically addresses kernel-level exploit development.

Mitigation strategies for this vulnerability include immediate patching of the Linux kernel to the version containing the fix, which addresses the improper synchronization by ensuring that hook structure references are not accessed after mutex release. System administrators should prioritize applying kernel updates from their respective distributions, as the fix typically involves modifying the `__nf_register_net_hook()` function to prevent access to freed memory structures. Additionally, monitoring for KASAN reports or kernel oops messages can help detect exploitation attempts. Organizations should also consider implementing kernel hardening measures such as stack canaries, kernel address space layout randomization, and control flow integrity checks to make exploitation more difficult. For systems where immediate patching is not feasible, implementing network-level restrictions and monitoring for unusual network behavior can provide additional defense-in-depth measures against potential exploitation attempts.

Responsible

Linux

Reservation

08/21/2024

Disclosure

08/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00227

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!