CVE-2022-49236

Summary

CVE-2022-49236 is a use-after-free vulnerability affecting the Linux kernel. The issue arises due to a race condition between the creation of a BTF (Berkeley Packet Filter) module and its initialization. The BTF parsing and publication occur before the module initcall, allowing the kernel to attempt to retrieve the module before it is fully formed. If the initcall fails and the module is freed, a use-after-free condition occurs when the BPF program attempts to access the freed module. To mitigate this vulnerability, a new flag BTF_MODULE_F_LIVE is set when the module transitions to the MODULE_STATE_LIVE state. This flag prevents the kernel from retrieving modules that are not fully formed, thereby closing the race condition and preventing the use-after-free issue. This vulnerability was discovered while working on code to populate kfunc BTF ID sets for module BTF from its initcall. The existing code allows for the reference of a module to be incremented during the initcall, which can result in a use-after-free condition when the initcall fails and the module is freed. The vulnerability can be illustrated by the sequence of events where CPU 0 loads the module and attempts to access its BTF ID, while CPU 1 initiates the module initcall and fails, resulting in the module being freed. The kernel on CPU 0 then attempts to use the freed module, resulting in the use-after-free condition. To ensure the patch is effective, a selftest patch is used to artificially create the race condition and verify that the verifier fails to load the program, preventing the vulnerability from being exploited.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.