Linux Kernel NFS Memory Leak Vulnerability in Error Handling Path

A memory leak vulnerability has been identified in the Linux kernel's NFS server component (nfsd). This issue arises in the error handling path of the NFS version 4 recovery process. When the 'memdup_user()' function fails, the memory allocated by a previous call is not properly freed, leading to a leak. This vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability leads to a memory leak, which can cause increased memory usage and potentially degrade system performance over time.

Reproduction

The vulnerability can be reproduced by triggering an error in the NFS server's handling of upcall version 2, specifically during the recovery process. This can be done by manipulating the 'cld_msg_v2' user message to cause the 'memdup_user()' call to fail, while ensuring that the 'cc_princhash.cp_data' field is populated. The failure of 'memdup_user()' should result in the 'princhash.data' being NULL or an error, which would normally be handled by freeing the 'name.data' allocation. However, due to the vulnerability, this memory is not freed, causing a leak.

Remediation

Users can apply the latest patches available in the Linux kernel stable tree to address this vulnerability.