CVE-2024-46682 nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open

2024-09-1305:29:15

Linux

www.cve.org

linux kernel

vulnerability

nfsv4.0

nfsv4.0 closed files

nfsd

kernel oopsing

stateids

EPSS

Percentile

9.6%

JSON

In the Linux kernel, the following vulnerability has been resolved:

nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open

Prior to commit 3f29cc82a84c (“nfsd: split sc_status out of
sc_type”) states_show() relied on sc_type field to be of valid
type before calling into a subfunction to show content of a
particular stateid. From that commit, we split the validity of
the stateid into sc_status and no longer changed sc_type to 0
while unhashing the stateid. This resulted in kernel oopsing
for nfsv4.0 opens that stay around and in nfs4_show_open()
would derefence sc_file which was NULL.

Instead, for closed open stateids forgo displaying information
that relies of having a valid sc_file.

To reproduce: mount the server with 4.0, read and close
a file and then on the server cat /proc/fs/nfsd/clients/2/states

[ 513.590804] Call trace:
[ 513.590925] _raw_spin_lock+0xcc/0x160
[ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]
[ 513.591412] states_show+0x44c/0x488 [nfsd]
[ 513.591681] seq_read_iter+0x5d8/0x760
[ 513.591896] seq_read+0x188/0x208
[ 513.592075] vfs_read+0x148/0x470
[ 513.592241] ksys_read+0xcc/0x178

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/nfsd/nfs4state.c"
    ],
    "versions": [
      {
        "version": "3f29cc82a84c",
        "lessThan": "ba0b697de298",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "3f29cc82a84c",
        "lessThan": "a204501e1743",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "fs/nfsd/nfs4state.c"
    ],
    "versions": [
      {
        "version": "6.9",
        "status": "affected"
      },
      {
        "version": "0",
        "lessThan": "6.9",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10.8",
        "lessThanOrEqual": "6.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.11",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]