CVE-2024-56779

Summary

In the Linux kernel, the following vulnerability has been resolved:

nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur

The action force umount(umount -f) will attempt to kill all rpc_task even umount operation may ultimately fail if some files remain open. Consequently, if an action attempts to open a file, it can potentially send two rpc_task to nfs server.

               NFS CLIENT

thread1 thread2 open("file") … nfs4_do_open _nfs4_do_open _nfs4_open_and_get_state _nfs4_proc_open nfs4_run_open_task /* rpc_task1 */ rpc_run_task rpc_wait_for_completion_task

                                umount -f
                                nfs_umount_begin
                                 rpc_killall_tasks
                                  rpc_signal_task
 rpc_task1 been wakeup
 and return -512

_nfs4_do_open // while loop … nfs4_run_open_task /* rpc_task2 */ rpc_run_task rpc_wait_for_completion_task

While processing an open request, nfsd will first attempt to find or allocate an nfs4_openowner. If it finds an nfs4_openowner that is not marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since two rpc_task can attempt to open the same file simultaneously from the client to server, and because two instances of nfsd can run concurrently, this situation can lead to lots of memory leak. Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will be triggered.

                NFS SERVER

nfsd1 nfsd2 echo 0 > /proc/fs/nfsd/threads

nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // alloc oo1, stateid1 nfsd4_open nfsd4_process_open1 find_or_alloc_open_stateowner // find oo1, without NFS4_OO_CONFIRMED release_openowner unhash_openowner_locked list_del_init(&oo->oo_perclient) // cannot find this oo // from client, LEAK!!! alloc_stateowner // alloc oo2

nfsd4_process_open2 init_open_stateid // associate oo1 // with stateid1, stateid1 LEAK!!! nfs4_get_vfs_file // alloc nfsd_file1 and nfsd_file_mark1 // all LEAK!!!

                     nfsd4_process_open2
                     ...

                                write_threads
                                 ...
                                 nfsd_destroy_serv
                                  nfsd_shutdown_net
                                   nfs4_state_shutdown_net
                                    nfs4_state_destroy_net
                                     destroy_client
                                      __destroy_client
                                      // won't find oo1!!!
                                 nfsd_shutdown_generic
                                  nfsd_file_cache_shutdown
                                   kmem_cache_destroy
                                   for nfsd_file_slab
                                   and nfsd_file_mark_slab
                                   // bark since nfsd_file1
                                   // and nfsd_file_mark1
                                   // still alive

======================================================================= BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown()

Slab 0xffd4000004438a80 objects=34 used=1 fp=0xff11000110e2ad28 flags=0x17ffffc0000240(workingset|head|node=0|zone=2|lastcpupid=0x1fffff) CPU: 4 UID: 0 PID: 757 Comm: sh Not tainted 6.12.0-rc6+ #19 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dum —truncated—

Affected Software

VendorProductVersion RangeStatus
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < a85364f0d30dee01c5d5b4afa55a9629a8f36d8eaffected
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < 2d505a801e57428057563762f67a5a62009b2600affected
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < 0ab0a3ad24e970e894abcac58f85c332d1726749affected
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < 45abb68c941ebc9a35c6d3a7b08196712093c636affected
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < 37dfc81266d3a32294524bfadd3396614f8633eeaffected
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < 6f73f920b7ad0084373e46121d7ac34117aed652affected
LinuxLinux3234975f477f746c22d076ea178a79ea104b2ca7 < 98100e88dd8865999dc6379a3356cd799795fe7baffected
LinuxLinux3.17affected
LinuxLinux0 < 3.17unaffected
LinuxLinux5.4.287 <= 5.4.*unaffected
LinuxLinux5.10.231 <= 5.10.*unaffected
LinuxLinux5.15.174 <= 5.15.*unaffected
LinuxLinux6.1.120 <= 6.1.*unaffected
LinuxLinux6.6.64 <= 6.6.*unaffected
LinuxLinux6.12.4 <= 6.12.*unaffected
LinuxLinux6.13 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References