CVE-2023-54276

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net<br /> <br /> Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd<br /> startup") moved the initialization of the reply cache into nfsd startup,<br /> but didn&amp;#39;t account for the stats counters, which can be accessed before<br /> nfsd is ever started. The result can be a NULL pointer dereference when<br /> someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still<br /> shut down.<br /> <br /> This is a regression and a user-triggerable oops in the right situation:<br /> <br /> - non-x86_64 arch<br /> - /proc/fs/nfsd is mounted in the namespace<br /> - nfsd is not started in the namespace<br /> - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats"<br /> <br /> Although this is easy to trigger on some arches (like aarch64), on<br /> x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the<br /> fixed_percpu_data. That struct looks just enough like a newly<br /> initialized percpu var to allow nfsd_reply_cache_stats_show to access<br /> it without Oopsing.<br /> <br /> Move the initialization of the per-net+per-cpu reply-cache counters<br /> back into nfsd_init_net, while leaving the rest of the reply cache<br /> allocations to be done at nfsd startup time.<br /> <br /> Kudos to Eirik who did most of the legwork to track this down.