Bug 2298168 (CVE-2022-48829)

Summary: CVE-2022-48829 kernel: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dfreiber, drow, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 5.10.220, kernel 5.15.24, kernel 5.16.10, kernel 5.17 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's NFSD, specifically in the handling of large file sizes during NFSv3 SETATTR and CREATE operations. The ia_size field, being a signed 64-bit type, can lead to unexpected behavior when clients send size values larger than the maximum allowed. This improper handling can result in silent value capping, potentially leading to data corruption in file size management.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2024-07-16 12:50:03 UTC 
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes

iattr::ia_size is a loff_t, so these NFSv3 procedures must be
careful to deal with incoming client size values that are larger
than s64_max without corrupting the value.

Silently capping the value results in storing a different value
than the client passed in which is unexpected behavior, so remove
the min_t() check in decode_sattr3().

Note that RFC 1813 permits only the WRITE procedure to return
NFS3ERR_FBIG. We believe that NFSv3 reference implementations
also return NFS3ERR_FBIG when ia_size is too large.
Comment 6 errata-xmlrpc 2024-08-13 07:26:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:5266 https://access.redhat.com/errata/RHSA-2024:5266
Comment 7 errata-xmlrpc 2024-08-13 14:26:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:5282 https://access.redhat.com/errata/RHSA-2024:5282
Comment 8 errata-xmlrpc 2024-08-13 14:34:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:5281 https://access.redhat.com/errata/RHSA-2024:5281
Comment 10 errata-xmlrpc 2024-09-24 00:34:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:6992 https://access.redhat.com/errata/RHSA-2024:6992