A recent vulnerability discovered in the Linux kernel caused panic in the NFSv4. subsystem. This issue has now been resolved, ensuring the stability and security of Linux systems that rely on NFSv4..

Details

The Linux kernel vulnerability was found in the nfsd subsystem, specifically in the function nfs4_show_open. Prior to commit 3f29cc82a84c ("nfsd: split sc_status out of sc_type"), the states_show() function relied on the sc_type field to be a valid type before calling into a subfunction to show the content of a particular stateid. This vulnerability has been discussed in detail on the Linux Kernel Mailing List [1].

However, after the aforementioned commit, the validity of the stateid was split using sc_status, and the sc_type field was no longer set to when unhashing the stateid. This caused the kernel to crash for NFSv4. clients when handling open stateids without a valid sc_file. The kernel would dereference sc_file even if it was NULL, leading to a panic.

The solution to this issue is to display information for closed open stateids only if they have a valid sc_file. This prevents the kernel from attempting to access nonexistent files, thus avoiding the panic.

On the client, read and close a file

3. On the server, run cat /proc/fs/nfsd/clients/2/states

You should encounter a kernel oops, showing a similar call trace as shown below

[  513.590804] Call trace:
[  513.590925]  _raw_spin_lock+xcc/x160
[  513.591119]  nfs4_show_open+x78/x2c [nfsd]
[  513.591412]  states_show+x44c/x488 [nfsd]
[  513.591681]  seq_read_iter+x5d8/x760
[  513.591896]  seq_read+x188/x208
[  513.592075]  vfs_read+x148/x470
[  513.592241]  ksys_read+xcc/x178

With the fix in place, the kernel no longer crashes during this process.

Original References

1. Linux Kernel Mailing List: https://lore.kernel.org/r/[2]

Exploit Details

The vulnerability described in this post, identified as CVE-2024-46682, affects the Linux kernel when handling NFSv4. closed files in the nfs4_show_open function. An attacker could potentially exploit this vulnerability by causing the kernel to panic, leading to a denial-of-service attack. However, with the fix now in place, the kernel will only display information for closed open stateids with a valid sc_file, preventing the panic from occurring.

Conclusion

The Linux kernel vulnerability in the NFSv4. subsystem, identified as CVE-2024-46682, has been resolved. This fix prevents kernel panic by ensuring that information is only displayed for closed open stateids with a valid sc_file. Linux users are encouraged to check for updates and apply the latest patches regularly to maintain the stability and security of their systems.

Timeline

Published on: 09/13/2024 06:15:12 UTC
Last modified on: 09/15/2024 17:57:33 UTC