Linux Kernel NFSD NFSv2 READ Buffer Overflow Vulnerability

A vulnerability in the Linux kernel's NFS server (NFSD) has been addressed, which could lead to a send buffer overflow in NFSv2 READ operations. This issue arises because NFSD combines the RPC receive and send buffers into a single array of pages. While this approach is generally effective, it can be exploited by sending an excessively large RPC Call header over TCP, causing the send buffer to shrink and preventing the proper construction of the maximum payload size. The vulnerability affects several versions of the Linux kernel.

Impact

Exploitation of this vulnerability could lead to a buffer overflow in the NFS server's send buffer, potentially causing memory corruption or allowing for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a large RPC Call header in an RPC record over TCP to the NFS server. This oversized header will cause the server's send buffer to shrink, creating a mismatch in the expected payload size and leading to a buffer overflow.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. Instructions for downloading the updated kernel can be found on the official Linux kernel website.