CVE-2024-46682
Severity:
MEDIUM
Type:
CWE-476
NULL Pointer Dereference
Publication date:
13/09/2024
Last modified:
13/09/2024
Description
In the Linux kernel, the following vulnerability has been resolved:<br />
<br />
nfsd: prevent panic for nfsv4.0 closed files in nfs4_show_open<br />
<br />
Prior to commit 3f29cc82a84c ("nfsd: split sc_status out of<br />
sc_type") states_show() relied on sc_type field to be of valid<br />
type before calling into a subfunction to show content of a<br />
particular stateid. From that commit, we split the validity of<br />
the stateid into sc_status and no longer changed sc_type to 0<br />
while unhashing the stateid. This resulted in kernel oopsing<br />
for nfsv4.0 opens that stay around and in nfs4_show_open()<br />
would derefence sc_file which was NULL.<br />
<br />
Instead, for closed open stateids forgo displaying information<br />
that relies of having a valid sc_file.<br />
<br />
To reproduce: mount the server with 4.0, read and close<br />
a file and then on the server cat /proc/fs/nfsd/clients/2/states<br />
<br />
[ 513.590804] Call trace:<br />
[ 513.590925] _raw_spin_lock+0xcc/0x160<br />
[ 513.591119] nfs4_show_open+0x78/0x2c0 [nfsd]<br />
[ 513.591412] states_show+0x44c/0x488 [nfsd]<br />
[ 513.591681] seq_read_iter+0x5d8/0x760<br />
[ 513.591896] seq_read+0x188/0x208<br />
[ 513.592075] vfs_read+0x148/0x470<br />
[ 513.592241] ksys_read+0xcc/0x178
Impact
Base Score 3.x
5.50
Severity 3.x
MEDIUM
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* | 6.9 (including) | 6.10.8 (excluding) |
cpe:2.3:o:linux:linux_kernel:6.11:rc1:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc2:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc3:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc4:*:*:*:*:*:* | ||
cpe:2.3:o:linux:linux_kernel:6.11:rc5:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page