In April 2022, a security vulnerability identified as CVE-2022-28893 shook up the world of Linux system administrators and kernel developers. This bug was found in the SUNRPC subsystem of the Linux kernel (up to version 5.17.2), and it can potentially allow attackers to cause kernel crashes or execute code under certain circumstances.
This post breaks down what CVE-2022-28893 is all about, how the exploit works, some code snippets to help you understand the issue, and strategies for mitigation. We'll use simple language and directly highlight the relevant technical details. This post is exclusive: compiled and explained in a simple way just for you.
Background: What Is SUNRPC?
SUNRPC (Sun Remote Procedure Call) is a protocol that allows processes on different systems to communicate and call procedures over a network—important for things like NFS (Network File System).
The Linux kernel maintains code to handle connections for these remote procedures, and the part that manages the lower-level details is complex and performance-critical.
The Issue
The vulnerability exists in how the SUNRPC subsystem frees transport objects (xs_xprt_free) before ensuring that network sockets are shut down and are in their expected "safe" state.
Insecure cleanup:
- The code responsible for cleaning up the transport (essentially, network connections used by SUNRPC) may free up resources while a socket is still active or half-closed.
Consequences:
- This can lead to use-after-free bugs, where the kernel tries to access released memory, resulting in a crash (kernel panic) or possibly allowing a local attacker to escalate privileges.
The Problematic Code (Before Patch)
Here's a simplified C code snippet of the relevant function. Imagine xs_xprt_free is called to free a transport, but the associated socket isn't safely closed yet:
// Pseudocode - simplified for clarity
void xs_xprt_free(struct rpc_xprt *xprt) {
struct sock *sk = xprt->sock;
// ... other cleanup ...
kfree(xprt); // Frees the structure
// But what if 'sk' is still in use? Ouch!
}
If something else references xprt after it's freed, boom! That's when the kernel can panic and crash.
How It Should Work (Patched Version)
The fix ensures that before xs_xprt_free is called, the code verifies the state of the socket and ensures it's fully cleaned up:
void xs_xprt_free(struct rpc_xprt *xprt) {
struct sock *sk = xprt->sock;
if (sk) {
// Properly shutdown the socket
kernel_sock_shutdown(sk, SHUT_RDWR);
sock_release(sk);
xprt->sock = NULL;
}
// THEN free the structure
kfree(xprt);
}
Who Can Attack?
- Local attackers: Since this bug requires the ability to create and manage kernel SUNRPC transport sockets, local users (including potentially unprivileged ones with access to RPC services) could trigger it.
- Remote attack? It is unlikely unless remote RPC communications can be manipulated to trigger socket state inconsistencies, but it's mainly a local privilege escalation risk.
Force premature freeing by manipulating connections (aborting, racing disconnections, etc.)
3. Access freed memory—the kernel could crash, or if you're lucky and skilled, you get code execution.
While writing a full PoC is risky, here's how someone might unintentionally hit this
# On a vulnerable machine:
mount -t nfs remote-server:/export /mnt/tmp
sleep 1
umount /mnt/tmp
mount -t nfs remote-server:/export /mnt/tmp
umount /mnt/tmp
# Repeat rapidly or script disconnections to race kernel cleanup
If you time it right or stress the NFS connections, the system could hit use-after-free.
Official Reference Links
- CVE entry on Mitre
- Linux Kernel Patch Commit (torvalds/linux.git) (for the actual fix)
- oss-security mailing list announcement
Mitigation and Fix
- Upgrade your kernel! This bug is fixed in 5.17.3 and backports to most maintained LTS series (5.15, 5.10, 5.4, etc.).
- If immediate upgrade is impossible: Restrict local user access to RPC-related system calls, or consider disabling NFS/SUNRPC services temporarily.
Fixes are available—update your systems!
If you run a Linux system with any RPC/NFS functionality exposed, make sure you're protected against this bug.
Questions? Want more technical details? Drop a comment or reach out!
*This post was researched, compiled, and simplified for clarity. Please always cite and review official security sources before acting on vulnerability disclosures.*
Timeline
Published on: 04/11/2022 05:15:00 UTC
Last modified on: 06/13/2022 11:15:00 UTC