CVE-2022-49065 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
SUNRPC: Fix the svc_deferred_event trace class
Fix a NULL deref crash that occurs when an svc_rqst is deferred while the sunrpc tracing subsystem is enabled. svc_revisit() sets dr->xprt to NULL, so it can't be relied upon in the tracepoint to provide the remote's address.
Unfortunately we can't revert the "svc_deferred_class" hunk in commit ece200ddd54b ("sunrpc: Save remote presentation address in svc_xprt for trace events") because there is now a specific check of event format specifiers for unsafe dereferences. The warning that check emits is:
event svc_defer_recv has unsafe dereference of argument 1
A "%pISpc" format specifier with a "struct sockaddr *" is indeed flagged by this check.
Instead, take the brute-force approach used by the svcrdma_qp_error tracepoint. Convert the dr::addr field into a presentation address in the TP_fast_assign() arm of the trace event, and store that as a string. This fix can be backported to -stable kernels.
In the meantime, commit c6ced22997ad ("tracing: Update print fmt check to handle new __get_sockaddr() macro") is now in v5.18, so this wonky fix can be replaced with __sockaddr() and friends properly during the v5.19 merge window.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/12/2025
The vulnerability CVE-2022-49065 represents a critical null pointer dereference issue within the Linux kernel's sunrpc subsystem that manifests when tracing is enabled. This flaw occurs specifically during the deferral of service requests where the svc_revisit() function sets the dr->xprt field to NULL, creating a scenario where tracepoint handlers cannot reliably access the remote address information. The issue stems from the svc_deferred_event trace class which attempts to utilize a NULL pointer reference when processing deferred RPC requests, leading to system crashes and potential denial of service conditions. The vulnerability directly impacts systems running kernel versions where the sunrpc tracing subsystem is active, particularly affecting network services that rely on remote procedure calls.
The technical implementation of this vulnerability involves the interaction between the service request deferral mechanism and the kernel's tracing infrastructure. When svc_revisit() processes deferred requests, it explicitly nullifies the transport pointer in the deferred request structure, yet the tracepoint handler continues to attempt accessing this now-invalid reference. The original fix approach was problematic because reverting the specific commit that introduced the svc_deferred_class functionality would trigger a safety check in the kernel's tracing subsystem. This safety mechanism, designed to prevent unsafe memory dereferences, flagged the "%pISpc" format specifier as problematic due to its reliance on struct sockaddr pointers that could become NULL during the deferral process. The kernel's event format validation system, which aligns with security best practices, identifies this as an unsafe operation that could lead to system instability.
The operational impact of CVE-2022-49065 extends beyond simple system crashes to potentially compromise service availability and system stability in networked environments. Systems utilizing sunrpc services such as NFS, RPC-based file sharing, or distributed computing frameworks become vulnerable to unexpected termination when tracing is enabled and deferred requests occur. The vulnerability affects both current and stable kernel releases, making it particularly concerning for production environments where kernel updates may be delayed. Organizations running kernel versions containing this flaw face risks of service disruption, especially during high-traffic periods when RPC request deferral is more likely to occur. The null pointer dereference can cause kernel oops messages and system panics, potentially requiring manual intervention and system restarts to restore normal operations.
The mitigation strategy for CVE-2022-49065 involves implementing the specific fix that converts the deferred request address field into a presentation address format within the trace event's TP_fast_assign() function, storing it as a string rather than attempting to dereference a potentially NULL pointer. This approach follows established patterns used in other kernel subsystems such as the svcrdma_qp_error tracepoint, demonstrating consistency with kernel development practices. The solution is designed to be backportable to stable kernel releases, allowing organizations to apply the fix without requiring immediate major kernel version upgrades. Additionally, the kernel development team has identified that future kernel versions will be able to utilize improved macros like __sockaddr() during the v5.19 merge window, providing a cleaner implementation path. This vulnerability aligns with CWE-476 which categorizes null pointer dereference issues, and represents a specific implementation of the broader ATT&CK technique T1489 involving system network configuration modification through kernel-level vulnerabilities. Organizations should prioritize applying this patch to prevent potential exploitation that could lead to system compromise or service disruption in networked environments relying on sunrpc functionality.