CVE-2022-29503: 
NixOS vulnerability analysis and mitigation

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. The vulnerability was discovered in May 2022 and publicly disclosed on September 22, 2022. The affected systems include uClibC 0.9.33.2, uClibC-ng 1.0.40, and Anker Eufy Homebase 2 2.1.8.8h. Both uClibC and uClibC-ng are standalone replacements for glibc, designed to be smaller and more portable for embedded environments (Talos Report).

The vulnerability occurs in the thread allocation process when pthreadcreate is called. The issue stems from the use of MAPFIXED flag in mmap calls during thread stack allocation, which forces the mapping at exact addresses. As thread segments are incremented, the allocation moves to lower memory addresses, potentially overwriting loaded libraries or application code. The vulnerability has a CVSSv3 score of 8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified as CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer (Talos Report).

The vulnerability can lead to memory corruption when a large number of threads are created. This condition is more likely to occur in 32-bit memory spaces. The impact can include the overwriting of loaded libraries or even the application code itself, potentially leading to code execution or system compromise (Talos Report).

For uClibC users, avoiding the linuxthreads.old implementation is recommended. In the case of uClibC-ng, since it only has a single linuxthreads implementation within the codebase, any linuxthreads-based implementation of libpthread is vulnerable. Users of Buildroot should be particularly cautious when selecting threading implementations (Talos Report).