CVE-2022-49928 - Null Pointer Dereference in Linux Kernel’s SUNRPC xps sysfs Allocation

A vulnerability was discovered and fixed in the Linux kernel’s SUNRPC subsystem, tracked as CVE-2022-49928. This issue was demonstrated as a null pointer dereference when allocating an xps sysfs object failed. In this post, we explain this bug in simple terms, show the technical details, discuss exploitation risk, and highlight the fix made by kernel developers.

What is the Problem?

The SUNRPC (Sun Remote Procedure Call) system in the Linux kernel allows network services (like NFS) to talk to each other. It makes use of something called the “xprt_switch” subsystem for switching between different network transports.

In the vulnerable Linux kernel code (net/sunrpc/xprtswitch.c), if the kernel failed to allocate memory for this “xps sysfs” object, it tried to add it anyway—causing a crash.

How the Bug Happens

During the creation of a new SUNRPC client, the kernel tries to create a sysfs entry to represent the transport switch. If allocation fails and is not checked, code goes on to use a null pointer, leading to a null-ptr-deref bug. A malicious local user or process could trigger this and cause a system crash (kernel "oops" or panic).

Typical Error Message

BUG: KASAN: null-ptr-deref in sysfs_do_create_link_sd+x40/xd
Read of size 8 at addr 000000000000003 by task gssproxy/457

And an example of the stack trace

CPU: 5 PID: 457 Comm: gssproxy Not tainted 6..-09040-g02357b27ee03 #9
Call Trace:
 <TASK>
 dump_stack_lvl+x34/x44
 kasan_report+xa3/x120
 sysfs_do_create_link_sd+x40/xd
 rpc_sysfs_client_setup+x161/x1b
 rpc_new_client+x3fc/x6e
 rpc_create_xprt+x71/x220
 rpc_create+x1d4/x350
 gssp_rpc_create+xc3/x160
 set_gssp_clnt+xbc/x140
 write_gssp+x116/x1a
 proc_reg_write+xd6/x130
 vfs_write+x177/x690
 ksys_write+xb9/x150
 do_syscall_64+x35/x80
 entry_SYSCALL_64_after_hwframe+x46/xb

Why Did This Happen?

The vulnerable code lacked proper checks for failed memory allocation. If memory couldn't be allocated, pointers used later would be NULL, causing a crash when dereferenced.

Key Function Affected

// Fragment of vulnerable code—simplified for clarity
struct xprt_switch *xps = xps_alloc();
sysfs_create_link(dentry, &xps->kobj, ...);

If xps_alloc() returns NULL but sysfs_create_link() is still called, the kernel will dereference a null pointer.

Exploiting the Vulnerability

Who can trigger this bug?
A local user with control over SUNRPC clients—for example, by running processes that use NFS in specific ways—could trigger it, especially under out-of-memory (OOM) conditions.

Attack Mechanism:
- Attackers could exploit this by exhausting system memory and then triggering the creation of a new SUNRPC transport (for example, via gssproxy or NFS mount operations).
- When allocation fails, the buggy code path is followed, leading to a null-pointer dereference and system crash.

Result:
The likely result is a simple denial of service (kernel panic). There is no clear path to privilege escalation or data corruption.

The Fix

Linux kernel developers patched this issue by adding missing NULL pointer checks and resetting certain pointers to NULL after failed operations.

Here's what the patched code looks like (simplified)

struct xprt_switch *xps = xps_alloc();
if (!xps) {
    /* Handle allocation failure safely */
    return -ENOMEM;
}
ret = sysfs_create_link(dentry, &xps->kobj, ...);
if (ret) {
    // On failure, set 'xps_sysfs' to NULL to avoid oops elsewhere
    xps_sysfs = NULL;
}

References

- Linux Kernel commit fixing the issue
- CVE Details for CVE-2022-49928
- Explaining Null Pointer Dereferences in Linux

Am I Affected?

You are vulnerable if you run a Linux kernel between versions where the bug was introduced and fixed (mainly kernel 6. and above). Check your kernel’s changelog, or run:

uname -a

If the version matches, and you use NFS or SUNRPC, you may be at risk. Update to the latest kernel with the patch applied.

Conclusion

CVE-2022-49928 is an example of why kernel code needs careful error checking. The bug could cause denial of service via a local user-triggered kernel panic. Upgrading to a kernel with the relevant fix prevents this issue.

If you run multiuser, high-availability, or file server environments with NFS/SUNRPC, update as soon as practical.


Want to learn more about kernel security?

Check out

- Kernel Newbies
- LWN.net kernel security


*Stay safe, and always keep your systems patched!*

Timeline

Published on: 05/01/2025 15:16:18 UTC
Last modified on: 05/07/2025 13:28:44 UTC