Get remediation guidance on CVE-2022-43945, which contains two vulnerabilities causing buffer handling issues in Linux Kernel NFSD implementation.
By: Aleksi Illikainen and Kari Hulkko, Synopsys Cybersecurity Research Center.
The Synopsys Cybersecurity Research Center (CyRC) has identified problems with buffer handling in the Linux kernel NFSD implementation, reported as CVE-2022-43945. The mechanism causing the problem has been in the kernel code for decades and might be exploited in diverse ways depending on the version of the kernel and NFS operation used.
NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. Historically, this approach was used to optimize memory usage when no single operation needed a large RPC message and a large RPC reply message at the same time. To achieve shared-buffer functionality, a send buffer must shrink when the received RPC message size increases.
A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.
While investigating the reported vulnerability, other buffer-handling issues in the NFSD code were found and fixed.
The vulnerabilities can be used for a denial-of-service attack at minimum.
All Linux kernel versions using NFSD prior to 5.19.17 and 6.0.2.
CVSS 3.1 base score: 6.5 (Medium)
Relevant fixes are landing into mainline kernel with nfsd-6.1 updates.
The fixed code is included in stable kernel since versions
Original patches on NFSD v2/v3/v4 from NFSD and NFS/RDMA development repository
Aleksi Illikainen and Kari Hulkko from the CyRC discovered these vulnerabilities by using the Defensics® fuzz testing tool.
Synopsys would like to thank the maintainers of Linux NFSD subsystem for their responsiveness and great cooperation.
FIRST.Org, Inc. (FIRST) is a nonprofit organization based in the U.S. that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS, but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the score was calculated.
Kari Hulkko is a senior software engineer on the Defensics team at Synopsys. He brings over 16 years of experience from various embedded and Linux development projects. Currently, he is focusing on fuzzing WLAN and IoT protocols. In his spare time, Kari plays Ultimate Frisbee.