[LTS 9.2] nfsd: CVE-2026-31402, CVE-2025-40324, CVE-2023-53241#1222
Open
pvts-mat wants to merge 3 commits into
Open
[LTS 9.2] nfsd: CVE-2026-31402, CVE-2025-40324, CVE-2023-53241#1222pvts-mat wants to merge 3 commits into
pvts-mat wants to merge 3 commits into
Conversation
jira VULN-154845 cve CVE-2023-53241 commit-author Jeff Layton <jlayton@kernel.org> commit 15a8b55 For ops with "trivial" replies, nfsd4_encode_operation will shortcut most of the encoding work and skip to just marshalling up the status. One of the things it skips is calling op_release. This could cause a memory leak in the layoutget codepath if there is an error at an inopportune time. Have the compound processing engine always call op_release, even when op_func sets an error in op->status. With this change, we also need nfsd4_block_get_device_info_scsi to set the gd_device pointer to NULL on error to avoid a double free. Reported-by: Zhi Li <yieli@redhat.com> Link: https://bugzilla.redhat.com/show_bug.cgi?id=2181403 Fixes: 34b1744 ("nfsd4: define ->op_release for compound ops") Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit 15a8b55) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-161290 cve CVE-2025-40324 commit-author Chuck Lever <chuck.lever@oracle.com> commit abb1f08 When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. Fixes: 15a8b55 ("nfsd: call op_release, even when op_func returns an error") Cc: stable@vger.kernel.org Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit abb1f08) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
jira VULN-180163 cve CVE-2026-31402 commit-author Jeff Layton <jlayton@kernel.org> commit 5133b61 upstream-diff Used linux-5.10.y backport f9fcb4441f6c02bb20c2eb340101e27dfe23607c for the clean cherry-pick. The modified function `nfsd4_encode_operation()' is identical in both versions The NFSv4.0 replay cache uses a fixed 112-byte inline buffer (rp_ibuf[NFSD4_REPLAY_ISIZE]) to store encoded operation responses. This size was calculated based on OPEN responses and does not account for LOCK denied responses, which include the conflicting lock owner as a variable-length field up to 1024 bytes (NFS4_OPAQUE_LIMIT). When a LOCK operation is denied due to a conflict with an existing lock that has a large owner, nfsd4_encode_operation() copies the full encoded response into the undersized replay buffer via read_bytes_from_xdr_buf() with no bounds check. This results in a slab-out-of-bounds write of up to 944 bytes past the end of the buffer, corrupting adjacent heap memory. This can be triggered remotely by an unauthenticated attacker with two cooperating NFSv4.0 clients: one sets a lock with a large owner string, then the other requests a conflicting lock to provoke the denial. We could fix this by increasing NFSD4_REPLAY_ISIZE to allow for a full opaque, but that would increase the size of every stateowner, when most lockowners are not that large. Instead, fix this by checking the encoded response length against NFSD4_REPLAY_ISIZE before copying into the replay buffer. If the response is too large, set rp_buflen to 0 to skip caching the replay payload. The status is still cached, and the client already received the correct response on the original request. Fixes: 1da177e ("Linux-2.6.12-rc2") Cc: stable@kernel.org Reported-by: Nicholas Carlini <npc@anthropic.com> Tested-by: Nicholas Carlini <npc@anthropic.com> Signed-off-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> (cherry picked from commit f9fcb4441f6c02bb20c2eb340101e27dfe23607c) Signed-off-by: Marcin Wcisło <marcin.wcislo@conclusive.pl>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[LTS 9.2]
Commits
CVE-2026-31402 (+ CVE-2023-53241, CVE-2025-40324)
The solution is based on the
linux-5.10.ybackport, which itself doesn't differ from the recent LTS 9.4 fix (see #1153). Thenfsd: call op_release, even when op_func returns an errorwas picked as prerequisite to equalizeciqlts9_2'snfsd4_encode_operation()function with that found inlinux-5.10.yfrom right before the fix, with an added bonus of solving additional CVE. The middle commitNFSD: Fix crash in nfsd4_read_release()was pulled in as a bugfix fornfsd: call op_release, even when op_func returns an error, having its own CVE as well.kABI check: passed
Boot test: passed
boot-test.log
Kselftests: passed relative
Reference
kselftests–ciqlts9_2–run1.log
kselftests–ciqlts9_2–run2.log
Patch
kselftests–ciqlts9_2-CVE-batch-33–run1.log
kselftests–ciqlts9_2-CVE-batch-33–run2.log
Comparison
The tests results for the reference and the patch are the same.
tests-comparison.txt