The Synopsys Software Integrity Group is now Black Duck®. Learn More

close search bar

Sorry, not available in this language yet

close language selection

CyRC Vulnerability Advisory: CVE-2022-43945 buffer overflow vulnerabilities in NFSD

Kari Hulkko

Nov 02, 2022 / 1 min read

Overview

The Black Duck Cybersecurity Research Center (CyRC) has identified problems with buffer handling in the Linux kernel NFSD implementation, reported as CVE-2022-43945. The mechanism causing the problem has been in the kernel code for decades and might be exploited in diverse ways depending on the version of the kernel and NFS operation used.

NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. Historically, this approach was used to optimize memory usage when no single operation needed a large RPC message and a large RPC reply message at the same time. To achieve shared-buffer functionality, a send buffer must shrink when the received RPC message size increases.

A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.

While investigating the reported vulnerability, other buffer-handling issues in the NFSD code were found and fixed.

The vulnerabilities can be used for a denial-of-service attack at minimum.

Affected software

All Linux kernel versions using NFSD prior to 5.19.17 and 6.0.2.

Remediation

https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=1242a87da0d8cd2a428e96ca68e7ea899b0f4624Relevant fixes are landing into mainline kernel with nfsd-6.1 updates.

The fixed code is included in stable kernel since versions

  • 6.0.2
  • 5.19.17

Original patches on NFSD v2/v3/v4 from NFSD and NFS/RDMA development repository

  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=90bfc37b5ab91c1a6165e3e5cfc49bf04571b762
  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=1242a87da0d8cd2a428e96ca68e7ea899b0f4624
  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=00b4492686e0497fdb924a9d4c8f6f99377e176c
  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991
  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=401bc1f90874280a80b93f23be33a0e7e2d1f912
  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=fa6be9cc6e80ec79892ddf08a8c10cabab9baf38
  • https://git.kernel.org/pub/scm/linux/kernel/git/cel/linux.git/commit/?h=for-next&id=76ce4dcec0dc08a032db916841ddc4e3998be317

Discovery credit

Aleksi Illikainen and Kari Hulkko from the CyRC discovered these vulnerabilities by using the Defensics® fuzz testing tool.

Black Duck would like to thank the maintainers of Linux NFSD subsystem for their responsiveness and great cooperation.

Timeline

  • July 20, 2022: Initial disclosure
  • August 8, 2022: Linux Foundation confirms the vulnerability
  • September 1, 2022: Patch v3 published for NFSv2/3
  • September 26, 2022: Patch published for NFSv4
  • October 4, 2022: Patch integrated into mainline kernel
  • November 3, 2022: Advisory published by Black Duck

About CVSS

FIRST.Org, Inc. (FIRST) is a nonprofit organization based in the U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.

Continue Reading

Explore Topics