CVE-2022-50421
📋 TL;DR
This CVE describes a use-after-free vulnerability in the Linux kernel's rpmsg character device driver. When a remoteproc is stopped before closing the /dev/rpmsgX device, the default endpoint can be destroyed twice, potentially leading to memory corruption. This affects systems using the rpmsg subsystem for inter-processor communication.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic or system crash leading to denial of service, with potential for privilege escalation if memory corruption can be controlled.
Likely Case
System instability, kernel warnings, or crashes when using rpmsg devices with improper shutdown sequences.
If Mitigated
Minor system warnings in kernel logs with no functional impact if proper shutdown procedures are followed.
🎯 Exploit Status
Exploitation requires local access and specific timing conditions (stopping remoteproc before closing device).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Kernel versions with commits 3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb, 467233a4ac29b215d492843d067a9f091e6bf0c5, or ef828a39d6a7028836eaf37df3ad568c8c2dd6f9
Vendor Advisory: https://git.kernel.org/stable/c/3f20ef7a845c2c8d7ec82ecffa20d95cab5ecfeb
Restart Required: Yes
Instructions:
1. Update Linux kernel to version containing the fix commits. 2. Reboot system to load new kernel. 3. Verify fix by checking kernel version.
🔧 Temporary Workarounds
Avoid improper rpmsg shutdown sequence
linuxEnsure /dev/rpmsgX devices are properly closed before stopping remoteproc processes
🧯 If You Can't Patch
- Restrict access to /dev/rpmsg* devices to trusted users only
- Implement monitoring for kernel warnings related to refcount underflow
🔍 How to Verify
Check if Vulnerable:
Check if kernel version is vulnerable by comparing with patched versions. Look for kernel warnings about 'refcount_t: underflow' in dmesg.Check Version:
uname -rVerify Fix Applied:
Check kernel version includes fix commits. Test rpmsg device operations with improper shutdown sequence and verify no warnings appear.📡 Detection & Monitoring
Log Indicators:
- Kernel log messages containing 'refcount_t: underflow; use-after-free'
- Warnings about virtio_rpmsg_destroy_ept or rpmsg_dev_remove
SIEM Query:
source="kernel" AND ("refcount_t: underflow" OR "use-after-free" OR "rpmsg_dev_remove")