CVE-2022-48672 in Linux
Summary
by MITRE • 05/03/2024
In the Linux kernel, the following vulnerability has been resolved:
of: fdt: fix off-by-one error in unflatten_dt_nodes()
Commit 78c44d910d3e ("drivers/of: Fix depth when unflattening devicetree") forgot to fix up the depth check in the loop body in unflatten_dt_nodes() which makes it possible to overflow the nps[] buffer...
Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability described in CVE-2022-48672 represents a critical buffer overflow condition within the Linux kernel's device tree processing subsystem. This flaw exists in the of_fdt_unflatten_dt_nodes() function which is responsible for converting flattened device tree representations back into hierarchical structures that the kernel can utilize for hardware configuration and initialization. The issue stems from an incomplete fix applied in commit 78c44d910d3e, which addressed depth calculation problems but failed to properly update the loop boundary conditions that govern buffer access operations.
The technical implementation of this vulnerability manifests as an off-by-one error in the device tree unflattening process where the depth checking logic becomes misaligned with the actual buffer boundaries of the nps[] array. This array serves as a stack structure to maintain node path information during the hierarchical reconstruction of device tree nodes. When the loop processing encounters device tree nodes with complex nesting structures, particularly those that exceed the expected depth boundaries, the insufficient boundary checking allows for writes beyond the allocated buffer limits, creating a classic buffer overflow condition that could potentially be exploited to execute arbitrary code within kernel space.
The operational impact of this vulnerability extends beyond simple memory corruption as it affects the fundamental device tree processing capabilities of the Linux kernel. During system boot or runtime device tree manipulation operations, this flaw could cause kernel panics, system crashes, or more insidiously, allow for privilege escalation attacks that leverage the kernel memory corruption to gain elevated privileges. The vulnerability is particularly concerning in embedded systems and server environments where device tree manipulation occurs frequently during hardware probing and initialization sequences, making the attack surface more prevalent in production systems.
This vulnerability aligns with CWE-121, which describes stack-based buffer overflow conditions, and demonstrates characteristics consistent with ATT&CK technique T1068, which involves exploiting local privilege escalation opportunities. The static analysis tool SVACE used by the Linux Verification Center identified this issue through formal verification methods, highlighting the importance of automated analysis tools in detecting subtle kernel-level programming errors. The fix requires careful attention to maintain the correct depth boundary calculations while ensuring that the nps[] buffer access remains properly constrained to prevent any future overflow conditions during device tree processing operations.
The resolution of this vulnerability involves restoring proper boundary checking logic within the loop body of the unflatten_dt_nodes() function to ensure that the depth validation correctly prevents access beyond the allocated nps[] buffer limits. This correction must maintain the original intent of the depth calculation fix while preventing the overflow condition that could otherwise compromise system stability and security. System administrators should prioritize applying the kernel patches that contain the corrected implementation to protect against potential exploitation of this buffer overflow vulnerability during device tree processing operations.