CVE-2021-47107

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> NFSD: Fix READDIR buffer overflow<br /> <br /> If a client sends a READDIR count argument that is too small (say,<br /> zero), then the buffer size calculation in the new init_dirlist<br /> helper functions results in an underflow, allowing the XDR stream<br /> functions to write beyond the actual buffer.<br /> <br /> This calculation has always been suspect. NFSD has never sanity-<br /> checked the READDIR count argument, but the old entry encoders<br /> managed the problem correctly.<br /> <br /> With the commits below, entry encoding changed, exposing the<br /> underflow to the pointer arithmetic in xdr_reserve_space().<br /> <br /> Modern NFS clients attempt to retrieve as much data as possible<br /> for each READDIR request. Also, we have no unit tests that<br /> exercise the behavior of READDIR at the lower bound of @count<br /> values. Thus this case was missed during testing.