CVE-2022-50843

Vulnerability

Overview

In the Linux kernel's device-mapper (dm) clone target, a use-after-free (UAF) vulnerability exists when dm_resume() and dm_destroy() are invoked concurrently. The failure to properly cancel a timer in the device's destructor function (clone_dtr()) before freeing associated memory allows the timer handler to operate on freed data structures.

Attack

Surface and Exploitation

Exploitation requires the ability to trigger both a resume and a destroy operation on a dm-clone device simultaneously. This is achievable locally by a user with sufficient privileges to interact with device-mapper control interfaces. No network-based attack vector is present; the privilege needed is CAP_SYS_ADMIN or equivalent access to the dm subsystem. The race window between the two operations enables the UAF condition.

Impact

A successful exploit can lead to a kernel panic, denial of service, or potentially arbitrary code execution in kernel context, depending on the state of memory at the time of the race. The UAF may corrupt kernel memory, compromising system stability and security.

Mitigation

The fix, backported to stable kernel versions, involves cancelling the timer again in clone_dtr() to ensure no pending timer fires after the device structure is freed [1][2]. System administrators should apply the corresponding kernel patch or update to a fixed kernel version to mitigate this vulnerability.