CVE-2022-49321 in Linux
Summary
by MITRE • 02/26/2025
In the Linux kernel, the following vulnerability has been resolved:
xprtrdma: treat all calls not a bcall when bc_serv is NULL
When a rdma server returns a fault format reply, nfs v3 client may treats it as a bcall when bc service is not exist.
The debug message at rpcrdma_bc_receive_call are,
[56579.837169] RPC: rpcrdma_bc_receive_call: callback XID
00000001, length=20 [56579.837174] RPC: rpcrdma_bc_receive_call: 00 00 00 01 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 04
After that, rpcrdma_bc_receive_call will meets NULL pointer as,
[ 226.057890] BUG: unable to handle kernel NULL pointer dereference at
00000000000000c8 ... [ 226.058704] RIP: 0010:_raw_spin_lock+0xc/0x20
... [ 226.059732] Call Trace:
[ 226.059878] rpcrdma_bc_receive_call+0x138/0x327 [rpcrdma]
[ 226.060011] __ib_process_cq+0x89/0x170 [ib_core]
[ 226.060092] ib_cq_poll_work+0x26/0x80 [ib_core]
[ 226.060257] process_one_work+0x1a7/0x360
[ 226.060367] ? create_worker+0x1a0/0x1a0
[ 226.060440] worker_thread+0x30/0x390
[ 226.060500] ? create_worker+0x1a0/0x1a0
[ 226.060574] kthread+0x116/0x130
[ 226.060661] ? kthread_flush_work_fn+0x10/0x10
[ 226.060724] ret_from_fork+0x35/0x40
...
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/12/2025
The vulnerability CVE-2022-49321 affects the Linux kernel's rpcrdma subsystem, specifically within the xprtrdma component that handles RDMA (Remote Direct Memory Access) network communications for NFS v3 clients. This flaw represents a critical null pointer dereference issue that occurs when processing fault format replies from RDMA servers, potentially leading to kernel crashes and system instability. The vulnerability stems from improper handling of callback calls when the broadcast service (bc_serv) is null, creating a condition where the system attempts to dereference a null pointer during the processing of network responses.
The technical implementation of this vulnerability involves the rpcrdma_bc_receive_call function which processes incoming callback messages from RDMA servers. When a fault format reply is received from an NFS v3 server and the broadcast service context is not properly initialized or available, the code incorrectly treats this reply as a legitimate broadcast call rather than a fault response. The debug output shows a callback XID 00000001 being processed with a 20-byte message payload, indicating the malformed handling of network protocol elements. The subsequent kernel oops demonstrates a NULL pointer dereference at offset 0xc8, which maps to the _raw_spin_lock function, indicating that the system attempts to acquire a lock on a null structure pointer.
This vulnerability directly relates to CWE-476 which describes NULL pointer dereference conditions, and falls under the broader category of kernel-level memory corruption issues that can be exploited for privilege escalation or denial of service attacks. The operational impact of this vulnerability extends beyond simple system crashes, as it can be leveraged to cause complete system instability in environments running NFS v3 services over RDMA networks. The flaw particularly affects systems where RDMA hardware is used for high-performance network communications, making it relevant to data center and enterprise environments that rely on high-speed storage networking protocols.
The security implications of this vulnerability align with ATT&CK technique T1499.004 which covers network denial of service attacks, as the null pointer dereference can result in system crashes and service unavailability. Additionally, the vulnerability could be classified under T1068 which covers exploit for privilege escalation, since kernel-level memory corruption can potentially be exploited to gain elevated privileges. Organizations using NFS v3 services over RDMA infrastructure should prioritize patching this vulnerability as it represents a potential entry point for attackers seeking to disrupt services or gain unauthorized access to systems. The fix implemented in the kernel resolves the issue by ensuring that all calls are properly distinguished from broadcast calls when the bc_serv context is NULL, preventing the erroneous dereference of null pointers during network protocol processing.