CVE-2023-53083

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: don&amp;#39;t replace page in rq_pages if it&amp;#39;s a continuation of last page<br /> <br /> The splice read calls nfsd_splice_actor to put the pages containing file<br /> data into the svc_rqst-&gt;rq_pages array. It&amp;#39;s possible however to get a<br /> splice result that only has a partial page at the end, if (e.g.) the<br /> filesystem hands back a short read that doesn&amp;#39;t cover the whole page.<br /> <br /> nfsd_splice_actor will plop the partial page into its rq_pages array and<br /> return. Then later, when nfsd_splice_actor is called again, the<br /> remainder of the page may end up being filled out. At this point,<br /> nfsd_splice_actor will put the page into the array _again_ corrupting<br /> the reply. If this is done enough times, rq_next_page will overrun the<br /> array and corrupt the trailing fields -- the rq_respages and<br /> rq_next_page pointers themselves.<br /> <br /> If we&amp;#39;ve already added the page to the array in the last pass, don&amp;#39;t add<br /> it to the array a second time when dealing with a splice continuation.<br /> This was originally handled properly in nfsd_splice_actor, but commit<br /> 91e23b1c3982 ("NFSD: Clean up nfsd_splice_actor()") removed the check<br /> for it.