CVE-2024-56740

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nfs/localio: must clear res.replen in nfs_local_read_done<br /> <br /> Otherwise memory corruption can occur due to NFSv3 LOCALIO reads<br /> leaving garbage in res.replen:<br /> - nfs3_read_done() copies that into server-&gt;read_hdrsize; from there<br /> nfs3_proc_read_setup() copies it to args.replen in new requests.<br /> - nfs3_xdr_enc_read3args() passes that to rpc_prepare_reply_pages()<br /> which includes it in hdrsize for xdr_init_pages, so that rq_rcv_buf<br /> contains a ridiculous len.<br /> - This is copied to rq_private_buf and xs_read_stream_request()<br /> eventually passes the kvec to sock_recvmsg() which receives incoming<br /> data into entirely the wrong place.<br /> <br /> This is easily reproduced with NFSv3 LOCALIO that is servicing reads<br /> when it is made to pivot back to using normal RPC. This switch back<br /> to using normal NFSv3 with RPC can occur for a few reasons but this<br /> issue was exposed with a test that stops and then restarts the NFSv3<br /> server while LOCALIO is performing heavy read IO.