CVE-2022-22942

kernel: failing usercopy allows for use-after-free exploitation

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The vmwgfx driver contains a local privilege escalation vulnerability that allows unprivileged users to gain access to files opened by other processes on the system through a dangling 'file' pointer.

El controlador vmwgfx contiene una vulnerabilidad de escalada de privilegios local que permite a los usuarios sin permisos obtener acceso a archivos abiertos por otros procesos en el sistema a través de un puntero de "archivo" colgante.

A use-after-free flaw was found in the Linux kernel’s vmw_execbuf_copy_fence_user function in drivers/gpu/drm/vmwgfx/vmwgfx_execbuf.c in vmwgfx. This flaw allows a local attacker with user privileges to cause a privilege escalation problem.

If the vmwgfx driver fails to copy the fence_rep object to userland, it tries to recover by deallocating the (already populated) file descriptor. This is wrong, as the fd gets released via put_unused_fd() which shouldn't be used, as the fd table slot was already populated via the previous call to fd_install(). This leaves userland with a valid fd table entry pointing to a freed file object. The authors use this bug to overwrite a SUID binary with their payload and gain root. Linux kernel versions 4.14-rc1 - 5.17-rc1 are vulnerable. Successfully tested against Ubuntu 22.04.01 with kernel 5.13.12-051312-generic.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-01-10 CVE Reserved
2022-02-18 CVE Published
2023-12-19 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (5)

URL	Tag	Source
https://github.com/vmware/photon/wiki/Security-Update-3.0-356	Release Notes
https://github.com/vmware/photon/wiki/Security-Update-4.0-148	Release Notes
https://www.openwall.com/lists/oss-security/2022/01/27/4	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2022-22942	2022-04-13
https://bugzilla.redhat.com/show_bug.cgi?id=2044809	2022-04-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Vmware Search vendor "Vmware"		Photon Os Search vendor "Vmware" for product "Photon Os"				3.0 Search vendor "Vmware" for product "Photon Os" and version "3.0"		-		Affected
Vmware Search vendor "Vmware"		Photon Os Search vendor "Vmware" for product "Photon Os"				4.0 Search vendor "Vmware" for product "Photon Os" and version "4.0"		-		Affected