CVE

CVE-2024-46682

Severity:
MEDIUM
Type:
CWE-476 NULL Pointer Dereference
Publication date:
13/09/2024
Last modified:
13/09/2024

Description

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open<br /> <br /> Prior to commit 3f29cc82a84c ("nfsd: split sc_status out of<br /> sc_type") states_show() relied on sc_type field to be of valid<br /> type before calling into a subfunction to show content of a<br /> particular stateid. From that commit, we split the validity of<br /> the stateid into sc_status and no longer changed sc_type to 0<br /> while unhashing the stateid. This resulted in kernel oopsing<br /> for nfsv4.0 opens that stay around and in nfs4_show_open()<br /> would derefence sc_file which was NULL.<br /> <br /> Instead, for closed open stateids forgo displaying information<br /> that relies of having a valid sc_file.<br /> <br /> To reproduce: mount the server with 4.0, read and close<br /> a file and then on the server cat /proc/fs/nfsd/clients/2/states<br /> <br /> [ 513.590804] Call trace:<br /> [ 513.590925] _raw_spin_lock+0xcc/0x160<br /> [ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]<br /> [ 513.591412] states_show+0x44c/0x488 [nfsd]<br /> [ 513.591681] seq_read_iter+0x5d8/0x760<br /> [ 513.591896] seq_read+0x188/0x208<br /> [ 513.592075] vfs_read+0x148/0x470<br /> [ 513.592241] ksys_read+0xcc/0x178

Vulnerable products and versions

CPE From Up to
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* 6.9 (including) 6.10.8 (excluding)
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:*