CVE-2022-48744 in Linux
Summary
by MITRE • 06/20/2024
In the Linux kernel, the following vulnerability has been resolved:
net/mlx5e: Avoid field-overflowing memcpy()
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring fields.
Use flexible arrays instead of zero-element arrays (which look like they are always overflowing) and split the cross-field memcpy() into two halves that can be appropriately bounds-checked by the compiler.
We were doing:
#define ETH_HLEN 14 #define VLAN_HLEN 4 ... #define MLX5E_XDP_MIN_INLINE (ETH_HLEN + VLAN_HLEN) ... struct mlx5e_tx_wqe *wqe = mlx5_wq_cyc_get_wqe(wq, pi); ... struct mlx5_wqe_eth_seg *eseg = &wqe->eth; struct mlx5_wqe_data_seg *dseg = wqe->data; ... memcpy(eseg->inline_hdr.start, xdptxd->data, MLX5E_XDP_MIN_INLINE);
target is wqe->eth.inline_hdr.start (which the compiler sees as being 2 bytes in size), but copying 18, intending to write across start (really vlan_tci, 2 bytes). The remaining 16 bytes get written into wqe->data[0], covering byte_count (4 bytes), lkey (4 bytes), and addr
(8 bytes).
struct mlx5e_tx_wqe {
struct mlx5_wqe_ctrl_seg ctrl; /* 0 16 */ struct mlx5_wqe_eth_seg eth; /* 16 16 */ struct mlx5_wqe_data_seg data[]; /* 32 0 */
/* size: 32, cachelines: 1, members: 3 */ /* last cacheline: 32 bytes */ };
struct mlx5_wqe_eth_seg {
u8 swp_outer_l4_offset; /* 0 1 */ u8 swp_outer_l3_offset; /* 1 1 */ u8 swp_inner_l4_offset; /* 2 1 */ u8 swp_inner_l3_offset; /* 3 1 */ u8 cs_flags; /* 4 1 */ u8 swp_flags; /* 5 1 */ __be16 mss; /* 6 2 */ __be32 flow_table_metadata; /* 8 4 */ union {
struct {
__be16 sz; /* 12 2 */ u8 start[2]; /* 14 2 */
} inline_hdr; /* 12 4 */ struct {
__be16 type; /* 12 2 */ __be16 vlan_tci; /* 14 2 */ } insert; /* 12 4 */ __be32 trailer; /* 12 4 */ }; /* 12 4 */
/* size: 16, cachelines: 1, members: 9 */ /* last cacheline: 16 bytes */ };
struct mlx5_wqe_data_seg {
__be32 byte_count; /* 0 4 */ __be32 lkey; /* 4 4 */ __be64 addr; /* 8 8 */
/* size: 16, cachelines: 1, members: 3 */ /* last cacheline: 16 bytes */ };
So, split the memcpy() so the compiler can reason about the buffer sizes.
"pahole" shows no size nor member offset changes to struct mlx5e_tx_wqe nor struct mlx5e_umr_wqe. "objdump -d" shows no meaningful object code changes (i.e. only source line number induced differences and optimizations).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/29/2025
The vulnerability described in CVE-2022-48744 resides within the Linux kernel's mlx5e network driver, specifically addressing a field overflow issue in memory copy operations. This flaw manifests when the driver attempts to copy data into the inline header section of Ethernet segments, where the source data size exceeds the declared field boundaries. The problem occurs during XDP (eXpress Data Path) packet processing, where the driver constructs network packets for transmission through Mellanox ConnectX hardware. The vulnerability stems from the use of zero-length arrays that the compiler interprets as always overflowing, creating potential for memory corruption when memcpy operations extend beyond intended field boundaries. This type of vulnerability falls under CWE-121, which addresses stack-based buffer overflow conditions, and specifically relates to improper bounds checking during memory operations.
The technical implementation flaw involves the mlx5e_tx_wqe structure layout where the eth segment's inline_hdr.start field is only 2 bytes in size, yet the code attempts to copy 18 bytes from the XDP data. This copying operation crosses field boundaries, writing into adjacent memory locations including the data segment's byte_count, lkey, and addr fields. The original code pattern used a single memcpy call that the compiler could not properly analyze for bounds checking, particularly when FORTIFY_SOURCE is enabled for additional compile-time and run-time security checks. The vulnerability demonstrates poor memory management practices in kernel space where buffer overflows can lead to arbitrary memory corruption, potentially enabling privilege escalation or denial of service conditions.
This vulnerability impacts the operational security of systems using Mellanox network adapters with the mlx5e driver, particularly in high-performance computing environments where XDP is utilized for packet processing. The memory corruption could result in system instability, data corruption, or potentially allow attackers to execute arbitrary code with kernel privileges. The flaw affects systems running Linux kernels with the mlx5e driver, especially those implementing XDP for high-speed packet processing, making it relevant to data center networks, cloud infrastructure, and high-frequency trading systems. The vulnerability's exploitation potential is enhanced by the fact that it occurs during normal packet processing operations, making detection difficult and impact widespread across network-intensive applications.
The mitigation strategy involves restructuring the memory copy operations to avoid crossing field boundaries by splitting the single memcpy operation into multiple bounded operations. This approach allows the compiler's FORTIFY_SOURCE checks to properly validate buffer sizes and prevents the overflow condition. The solution maintains the same functional behavior while ensuring proper memory boundaries are respected. This fix aligns with the ATT&CK framework's defense evasion techniques, specifically addressing the use of memory corruption to bypass security controls. The implementation change ensures that the compiler can properly analyze and validate memory operations, preventing the conditions that would allow field overflow during memcpy operations. System administrators should update to kernel versions containing this fix, particularly those using Mellanox hardware with XDP enabled, and monitor for potential performance impacts from the additional bounds checking operations.