CVE-2022-43945: Linux Kernel NFSD Buffer Overflow Vulnerability in Versions Prior to 5.19.17 and 6..2

Introduction: Security researchers have recently discovered a buffer overflow vulnerability in the Linux kernel's Network File System Daemon (NFSD) implementation. The vulnerability has been assigned the identifier CVE-2022-43945 and affects Linux kernel NFSD versions prior to 5.19.17 and 6..2. If exploited, this vulnerability could cause a denial of service (DoS) or potentially allow an attacker to execute arbitrary code on the affected system.

Original References

- CVE-2022-43945
- Patch 5.19.17
- Patch 6..2

Exploit Details

The vulnerability lies in the way NFSD handles remote procedure calls (RPC) over TCP. NFSD combines the receive and send buffers of an RPC into a single array of pages to track the number of pages held by each NFSD thread. An attacker can exploit this vulnerability by sending an RPC message over TCP with extra garbage data added at the end of the message. Although the RPC message is technically correct according to the RPC specification, the vulnerable NFSD code is not expecting an oversized request and writes beyond the allocated buffer space, causing a buffer overflow.

CVSS Details

The vulnerability has been assigned a CVSS v3.1 base score of 7.7/10 with the following breakdown: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability can be exploited remotely over a network (AV:N), has low attack complexity (AC:L), and requires limited privileges to exploit (PR:L). A successful exploit would have no impact on confidentiality (C:N) or integrity (I:N), but could have a high impact on availability (A:H), potentially leading to a denial of service or system crash.

The following code snippet demonstrates the problem in the vulnerable versions of NFSD

struct svc_rqst {
  ...
  struct page *rq_pages[RPCSVC_MAXPAGES]; // combined receive and send buffers
  ...
};

// vulnerable function
static int nfsd_overflow(struct svc_rqst *rqstp, __be32 *p)
{
    int space = rqstp->rq_respages + RPCSVC_MAXPAGES - rqstp->rq_resused - 1;
    return ((void*)p > PAGE_SIZE*(space)) + (char *)(rqstp->rq_resused);
}

Mitigation

Administrators are advised to update their Linux kernel to versions 5.19.17 or 6..2, which contain patches addressing this vulnerability. In addition, network administrators can monitor network traffic for unusually large RPC messages, which could indicate an attempted exploit of this vulnerability.

Timeline

Published on: 11/04/2022 19:15:00 UTC
Last modified on: 03/08/2023 18:15:00 UTC