CVE-2024-46682 Information

Description

In the Linux kernel the following vulnerability has been resolved:

nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open

Prior to commit 3f29cc82a84c ( fsd: split sc_status out of sc_type) states_show() relied on sc_type field to be of valid type before calling into a subfunction to show content of a particular stateid. From that commit we split the validity of the stateid into sc_status and no longer changed sc_type to 0 while unhashing the stateid. This resulted in kernel oopsing for nfsv4.0 opens that stay around and in nfs4_show_open() would derefence sc_file which was NULL.

Instead for closed open stateids forgo displaying information that relies of having a valid sc_file.

To reproduce: mount the server with 4.0 read and close a file and then on the server cat /proc/fs/nfsd/clients/2/states

[ 513.590804] Call trace: [ 513.590925] _raw_spin_lock+0xcc/0x160 [ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd] [ 513.591412] states_show+0x44c/0x488 [nfsd] [ 513.591681] seq_read_iter+0x5d8/0x760 [ 513.591896] seq_read+0x188/0x208 [ 513.592075] vfs_read+0x148/0x470 [ 513.592241] ksys_read+0xcc/0x178

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Reference

https://git.kernel.org/stable/c/ba0b697de298285301c71c258598226e06494236 https://git.kernel.org/stable/c/a204501e1743d695ca2930ed25a2be9f8ced96d3

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

NONE

Base Score

HIGH

Base Severity

5.5