CVE-2022-48827 in Linux
Summary
by MITRE • 07/16/2024
In the Linux kernel, the following vulnerability has been resolved:
NFSD: Fix the behavior of READ near OFFSET_MAX
Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it returns an NFS code of EINVAL to the client. The client as > a result indefinitely retries the request.
The Linux NFS client does not handle NFS?ERR_INVAL, even though all NFS specifications permit servers to return that status code for a READ.
Instead of NFS?ERR_INVAL, have out-of-range READ requests succeed and return a short result. Set the EOF flag in the result to prevent the client from retrying the READ request. This behavior appears to be consistent with Solaris NFS servers.
Note that NFSv3 and NFSv4 use u64 offset values on the wire. These must be converted to loff_t internally before use -- an implicit type cast is not adequate for this purpose. Otherwise VFS checks against sb->s_maxbytes do not work properly.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/25/2025
The vulnerability CVE-2022-48827 represents a critical issue in the Linux kernel's Network File System (NFS) implementation that stems from improper handling of read operations near maximum offset boundaries. This flaw manifests when clients attempt to read from extremely large file offsets, specifically approaching the theoretical limit of 2^63-1 bytes, which is the maximum value for signed 64-bit integers. The root cause lies in how the NFS server processes aligned buffer requests from clients, where a read operation of 0xfff bytes gets rounded up to the server's maximum read size of 0x1000 bytes, creating a scenario where the resulting offset calculation exceeds the server's internal loff_t data type limits. This overflow condition triggers an invalid argument error (EINVAL) response from the server, which the Linux NFS client fails to properly handle due to its lack of support for this specific error code in read operations.
The technical implementation flaw occurs within the NFS server's handling of buffer alignment requirements introduced by commit 8cfb9015280d, which mandates that all RPC read layers receive aligned buffers regardless of the actual data size requested. When a client attempts to read from an offset of 0x7ffffff ff000 in a file of size 0x7fff ff ff ff ff ff, the server's internal calculation process results in a loff_t overflow condition. This overflow generates an erroneous EINVAL return code that the client cannot properly interpret or recover from, leading to indefinite retry loops that consume system resources and potentially create denial-of-service conditions. The vulnerability specifically affects the conversion process between network-level u64 offset values and internal kernel loff_t data types, where implicit type casting proves insufficient for proper validation against filesystem maximum byte limits.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially compromising system availability and stability. When the NFS client encounters the unhandled EINVAL response, it enters an infinite retry loop attempting to reprocess the failed read operation, which can exhaust system resources including memory allocation, file descriptor limits, and CPU cycles dedicated to network processing. This behavior creates a significant attack surface where malicious actors could exploit the vulnerability to cause resource exhaustion on NFS servers, effectively creating a denial-of-service condition that affects legitimate file access operations. The vulnerability affects both NFSv3 and NFSv4 protocols since they both utilize u64 offset values on the wire, making the issue pervasive across different NFS protocol versions and server implementations.
The mitigation strategy for CVE-2022-48827 involves modifying the NFS server implementation to properly handle out-of-range read requests by returning short results with appropriate end-of-file flags rather than generating invalid argument errors. This approach aligns with the behavior observed in Solaris NFS servers, which successfully handle such conditions by returning partial data along with EOF indicators to prevent client retry loops. The fix requires careful attention to the offset conversion process from u64 to loff_t types, ensuring that explicit type conversions are implemented rather than relying on implicit casting that fails to properly validate against filesystem maximum byte limits. This solution addresses the underlying CWE-191 (Integer Underflow (Wrap or Wraparound)) and CWE-190 (Integer Overflow or Wraparound) issues that manifest in the server's offset handling logic. Additionally, the implementation must ensure that VFS checks against sb->s_maxbytes work correctly by properly converting offset values before performing filesystem boundary validations, thus preventing potential security implications related to unauthorized access to filesystem resources beyond normal operational limits.