Bug 2426034 (CVE-2022-50861)

Summary: CVE-2022-50861 kernel: NFSD: Finish converting the NFSv2 GETACL result encoder
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhel-process-autobot, watson-tool-maintainers
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was identified in the Linux kernel’s NFSD NFSv2 GETACL result encoder. During conversion to xdr_stream, leftover code erroneously set the page_len field of the send buffer. The XDR stream encoders are expected to manage buffer length automatically, and the incorrect manual setting can result in additional unused data beyond the legitimate response message being transmitted. Although most NFSv2 clients will ignore this extra data, it may contain stale kernel memory contents and can be observed on the network
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-30 13:03:41 UTC
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Finish converting the NFSv2 GETACL result encoder

The xdr_stream conversion inadvertently left some code that set the
page_len of the send buffer. The XDR stream encoders should handle
this automatically now.

This oversight adds garbage past the end of the Reply message.
Clients typically ignore the garbage, but NFSD does not need to send
it, as it leaks stale memory contents onto the wire.