CVE-2022-48828

In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. I'm about to fix up the NFSv3 behavior as well, so let's catch the underflow in the common code path: nfsd_setattr().

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b	Patch
https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48	Patch
https://git.kernel.org/stable/c/d2211e6e34d0755f35e2f8c22d81999fa81cfc71	Patch
https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7	Patch
https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e	Patch
https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b	Patch
https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48	Patch
https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7	Patch
https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e	Patch

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel::::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc1::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc2::::::
	cpe:2.3:o:linux:linux_kernel:5.17:rc3::::::

History

No history.

Information

Published : 2024-07-16 12:15

Updated : 2025-09-25 19:31

NVD link : CVE-2022-48828

Mitre link : CVE-2022-48828

CVE.ORG link : CVE-2022-48828

JSON object : View

Products Affected

linux

linux_kernel

CWE

CWE-191

Integer Underflow (Wrap or Wraparound)

{"id": "CVE-2022-48828", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-07-16T12:15:06.477", "references": [{"url": "https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d2211e6e34d0755f35e2f8c22d81999fa81cfc71", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/38d02ba22e43b6fc7d291cf724bc6e3b7be6626b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/8e0ecaf7a7e57b30284d6b3289cc436100fadc48", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/da22ca1ad548429d7822011c54cfe210718e0aa7", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/e6faac3f58c7c4176b66f63def17a34232a17b0e", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-191"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nNFSD: Fix ia_size underflow\n\niattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and\nNFSv4 both define file size as an unsigned 64-bit type. Thus there\nis a range of valid file size values an NFS client can send that is\nalready larger than Linux can handle.\n\nCurrently decode_fattr4() dumps a full u64 value into ia_size. If\nthat value happens to be larger than S64_MAX, then ia_size\nunderflows. I'm about to fix up the NFSv3 behavior as well, so let's\ncatch the underflow in the common code path: nfsd_setattr()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: NFSD: corrija el desbordamiento insuficiente de ia_size iattr::ia_size es un loff_t, que es un tipo de 64 bits firmado. NFSv3 y NFSv4 definen el tama\u00f1o del archivo como un tipo de 64 bits sin firmar. Por lo tanto, existe un rango de valores de tama\u00f1o de archivo v\u00e1lidos que un cliente NFS puede enviar y que ya es mayor de lo que Linux puede manejar. Actualmente, decode_fattr4() vuelca un valor u64 completo en ia_size. Si ese valor resulta ser mayor que S64_MAX, entonces ia_size tiene un desbordamiento insuficiente. Tambi\u00e9n estoy a punto de arreglar el comportamiento de NFSv3, as\u00ed que detectemos el desbordamiento en la ruta del c\u00f3digo com\u00fan: nfsd_setattr()."}], "lastModified": "2025-09-25T19:31:42.517", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA4BF151-0908-4C15-9931-A867361FC272", "versionEndExcluding": "5.4.295"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5816E2E8-2D39-42FC-B69B-20248BF7FBEF", "versionEndExcluding": "5.10.220", "versionStartIncluding": "5.5"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "866451F0-299E-416C-B0B8-AE6B33E62CCA", "versionEndExcluding": "5.15.24", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "679523BA-1392-404B-AB85-F5A5408B1ECC", "versionEndExcluding": "5.16.10", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7BD5F8D9-54FA-4CB0-B4F0-CB0471FDDB2D"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E6E34B23-78B4-4516-9BD8-61B33F4AC49A"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:5.17:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C030FA3D-03F4-4FB9-9DBF-D08E5CAC51AA"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}