Bug 2334823 (CVE-2024-56740) - CVE-2024-56740 kernel: nfs/localio: must clear res.replen in nfs_local_read_done
Summary: CVE-2024-56740 kernel: nfs/localio: must clear res.replen in nfs_local_read_done
Keywords:
Status: NEW
Alias: CVE-2024-56740
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-12-29 12:02 UTC by OSIDB Bzimport
Modified: 2025-01-21 12:51 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2024-12-29 12:02:19 UTC 
In the Linux kernel, the following vulnerability has been resolved:

nfs/localio: must clear res.replen in nfs_local_read_done

Otherwise memory corruption can occur due to NFSv3 LOCALIO reads
leaving garbage in res.replen:
- nfs3_read_done() copies that into server->read_hdrsize; from there
  nfs3_proc_read_setup() copies it to args.replen in new requests.
- nfs3_xdr_enc_read3args() passes that to rpc_prepare_reply_pages()
  which includes it in hdrsize for xdr_init_pages, so that rq_rcv_buf
  contains a ridiculous len.
- This is copied to rq_private_buf and xs_read_stream_request()
  eventually passes the kvec to sock_recvmsg() which receives incoming
  data into entirely the wrong place.

This is easily reproduced with NFSv3 LOCALIO that is servicing reads
when it is made to pivot back to using normal RPC.  This switch back
to using normal NFSv3 with RPC can occur for a few reasons but this
issue was exposed with a test that stops and then restarts the NFSv3
server while LOCALIO is performing heavy read IO.
Comment 1 Avinash Hanwate 2024-12-30 04:05:52 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2024122925-CVE-2024-56740-6b7b@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.