CVE CyberSecurity Database News

CVE-2022-49279 - Integer Overflow in Linux Kernel NFSD Could Lead to Security Issues on 32‑Bit Systems

Poster -

In late 2022, a new vulnerability (CVE-2022-49279) was announced affecting the Network File System (NFS) service in the Linux kernel. This bug targeted 32-bit systems and could let attackers manipulate memory operations, possibly resulting in crashes or worse, security breaches. The flaw has already been patched in newer kernel releases, but understanding what happened is important for system admins and Linux users who want to keep their systems secure.

In this post, we’ll break down what CVE-2022-49279 is about, show simple code snippets that illustrate the bug, explain how an exploit might work, and give you links to the original source if you want more details.

What is CVE-2022-49279?

Summary:
CVE-2022-49279 is an integer overflow vulnerability in the Linux kernel's implementation of NFSD—a server for NFS (Network File System), which lets you share files across computers over a network. In this case, there’s an insufficient check on a multiplication operation (len * sizeof(*p)) in the code. On 32-bit systems, multiplying big enough numbers causes the result to “wrap around” (overflow), leading to possible memory corruption.

Official description:
> “In the Linux kernel, the following vulnerability has been resolved: NFSD: prevent integer overflow on 32 bit systems. On a 32 bit system, the 'len * sizeof(*p)' operation can have an integer overflow.”

Where’s the Bug?

The bug is in the Linux kernel source code for nfsd (the NFS server). Often, arrays or memory are allocated using something like:

// len comes from user input or from protocol data
unsigned int len = /* ... */;
__be32 *p;

p = kmalloc(len * sizeof(*p), GFP_KERNEL);

On a 32-bit system, unsigned int and pointer types are 32 bits (4 bytes) wide. If len is big enough, say, just above UINT_MAX / sizeof(*p), the product len * sizeof(*p) wraps around zero and results in a much smaller number. The call to kmalloc (kernel memory allocator) then allocates less memory than wanted, but later code still treats p as if it’s a giant array. This can lead to writing outside the allocated memory, causing all sorts of problems.

Here is a simplified C code illustrating this overflow

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <limits.h>

int main() {
    unsigned int len = UINT_MAX / 4 + 2;    // Any big enough value
    size_t sz = len * sizeof(uint32_t);     // sizeof(*p) = 4
    uint32_t *arr = malloc(sz);

    printf("len=%u, sz=%zu\n", len, sz);
    if (arr == NULL) {
        printf("Memory allocation failed\n");
        return 1;
    }

    // Now, any loop that writes len elements will corrupt memory!
    for(unsigned int i=; i<len; i++)
        arr[i] = i;

    free(arr);
    return ;
}

On a 32-bit system, the printf might show sz as a small number, even though len is very large. The system allocates far less than needed, and the for-loop writes off the end of the memory.

How Could It Be Exploited?

In Linux’s nfsd, attackers (or even client-side mistakes) could send a malicious NFS packet or request with a huge len value. When the kernel multiplies by sizeof(*p), the number overflows, small memory is allocated, but kernel code trusts that more space exists. Writing off the buffer could lead to:

Memory corruption (side effects depend on kernel hardening)

- Possibly privilege escalation or code execution, if a skilled attacker targets the overflow precisely

Here’s a simplified practical example

// Suppose an attacker sends a len=x40000001, for 4-byte elements:
unsigned int len = x40000001;
size_t sz = len * 4; // x40000001 * 4 = x100000004, but on 32bit: wraps to x00000004
void *p = malloc(sz); // Just 4 bytes! But code might later write len*4 bytes.

Any loop or operation relying on the original len will now cross memory boundaries.

The Official Patch

The Linux developers fixed this by adding proper checks before multiplying, making sure the operation doesn’t overflow.

Patch example (from mainline kernel)

if (len > (UINT_MAX / sizeof(*p)))
    return -EINVAL;
p = kmalloc(len * sizeof(*p), GFP_KERNEL);

This test ensures that len * sizeof(*p) can never wrap around; otherwise, the code returns an error.

_You can see this change in the upstream Linux kernel Git repository:_
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91e5c7d15e13f3e2b09ae29e47be641cf068cf9

Recommendations

- Patch your kernel: If you run the NFS server (nfsd) on a 32-bit Linux kernel, make sure you’ve updated to a version that includes this fix (late 2022 or later).

Additional Details and References

- CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-49279

Linux commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91e5c7d15e13f3e2b09ae29e47be641cf068cf9

Red Hat bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2166308

Conclusion

CVE-2022-49279 is a classic example of how unchecked mathematics in C can lead to big bugs, especially on 32-bit platforms. If you run Linux file servers, double check your patches and be wary of old 32-bit systems. A simple multiplication, left unchecked, could open the door to serious security risks.

Timeline

Published on: 02/26/2025 07:01:04 UTC
Last modified on: 04/14/2025 20:06:29 UTC