CVE CyberSecurity Database News

CVE-2022-48828 - Linux Kernel NFSd ia_size Underflow Vulnerability Analysis and Fix

Poster -

A vulnerability in the Linux kernel marked as CVE-2022-48828 has been identified and resolved. This vulnerability affects the Network File System daemon (NFSd) and relates to the ia_size underflow issue caused by the use of signed 64-bit data types instead of the expected unsigned 64-bit values. This article will provide an in-depth analysis of this vulnerability, how it was fixed, code snippets, and links to the original references.

Referring to the Linux kernel source code, the vulnerable code was found in the nfsd_setattr() function. The ia_size variable, which represents the file size, is of the data type loff_t, a signed 64-bit integer, while the expected data type according to NFS protocol version 3 and 4 is an unsigned 64-bit integer.

Details of the Vulnerability

The vulnerability occurs when a client sends a file size value that exceeds S64_MAX (the maximum value for a signed 64-bit integer). This will result in an underflow in the ia_size variable. The following code snippet illustrates the issue:

size_t decode_fattr4(struct nfsd4_compoundres *resp, __be32 **p, struct svc_fh *fhp, struct iattr *iap)
{
  ...
  iap->ia_size = u64;
  ...
}

Here, a full u64 (unsigned 64-bit integer) value is dumped into ia_size, causing an underflow if it is larger than S64_MAX. This can lead to incorrect file sizes being reported, and potentially allowing clients to improperly modify file data.

The Fix

This vulnerability has been addressed by modifying the behavior of the nfsd_setattr() function, which is the common code path between NFSv3 and NFSv4. This modification will catch the underflow error when an unsigned 64-bit file size is sent by a client.

static __be32 nfsd_setattr(struct svc_rqst *rqstp, struct svc_fh *fhp, struct iattr *iap)
{
  ...
  if (iap->ia_valid & ATTR_SIZE && iap->ia_size < )
    return nfserrno(-EINVAL);
  ...
}

In the code above, a new check has been added to determine if the ia_size value is less than , which would indicate an underflow event due to an excessively large unsigned 64-bit file size. If the check is triggered, the function will return an EINVAL error, which effectively prevents the underflow vulnerability from being exploited.

Conclusion

The Linux kernel vulnerability regarding ia_size underflow in NFSd, designated as CVE-2022-48828, has been fixed with preventive measures in the nfsd_setattr() function. This update ensures that file sizes larger than S64_MAX will no longer cause errors and protects against any potential exploits.

1. Linux kernel commit that fixes the vulnerability
2. NFS version 3 protocol specification
3. NFS version 4 protocol specification

Timeline

Published on: 07/16/2024 12:15:06 UTC
Last modified on: 07/16/2024 13:43:58 UTC