Bug 2298167 (CVE-2022-48828) - CVE-2022-48828 kernel: NFSD: Fix ia_size underflow
Summary: CVE-2022-48828 kernel: NFSD: Fix ia_size underflow
Keywords:
Status: NEW
Alias: CVE-2022-48828
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-07-16 12:49 UTC by OSIDB Bzimport
Modified: 2024-09-24 00:34 UTC (History)
4 users (show)

Fixed In Version: kernel 5.10.220, kernel 5.15.24, kernel 5.16.10, kernel 5.17
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Linux kernel's NFSD, where an underflow in the ia_size field can occur due to incorrect handling of file size types. When an NFS client sends a file size greater than the maximum value the system can handle, it can lead to an underflow in the ia_size variable, causing unpredictable behavior. This vulnerability impacts the integrity and reliability of file operations in NFS.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:5538 0 None None None 2024-08-19 06:09:41 UTC
Red Hat Product Errata RHSA-2024:5266 0 None None None 2024-08-13 07:26:20 UTC
Red Hat Product Errata RHSA-2024:5281 0 None None None 2024-08-13 14:34:06 UTC
Red Hat Product Errata RHSA-2024:5282 0 None None None 2024-08-13 14:26:56 UTC
Red Hat Product Errata RHSA-2024:6992 0 None None None 2024-09-24 00:34:36 UTC

Description OSIDB Bzimport 2024-07-16 12:49:50 UTC
In the Linux kernel, the following vulnerability has been resolved:

NFSD: Fix ia_size underflow

iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and
NFSv4 both define file size as an unsigned 64-bit type. Thus there
is a range of valid file size values an NFS client can send that is
already larger than Linux can handle.

Currently decode_fattr4() dumps a full u64 value into ia_size. If
that value happens to be larger than S64_MAX, then ia_size
underflows. I'm about to fix up the NFSv3 behavior as well, so let's
catch the underflow in the common code path: nfsd_setattr().

Comment 6 errata-xmlrpc 2024-08-13 07:26:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:5266 https://access.redhat.com/errata/RHSA-2024:5266

Comment 7 errata-xmlrpc 2024-08-13 14:26:55 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:5282 https://access.redhat.com/errata/RHSA-2024:5282

Comment 8 errata-xmlrpc 2024-08-13 14:34:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2024:5281 https://access.redhat.com/errata/RHSA-2024:5281

Comment 10 errata-xmlrpc 2024-09-24 00:34:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2024:6992 https://access.redhat.com/errata/RHSA-2024:6992


Note You need to log in before you can comment on or make changes to this bug.