Linux Kernel NFSD NFSv3 READDIR Send Buffer Overflow Vulnerability

A vulnerability in the Linux kernel's Network File System (NFS) version 3 implementation within the NFS server daemon (NFSD) has been addressed. This vulnerability involved a send buffer overflow risk during the READDIR operation. NFSD managed the pages held by each thread by merging the RPC receive and send buffers into a single page array. This approach was effective because no operation required a large RPC Call and a large RPC Reply simultaneously. However, a client could exploit this by sending an excessively large RPC record, forcing the send buffer to shrink and creating a potential overflow condition.

Impact

Exploitation of this vulnerability could lead to a send buffer overflow, causing memory corruption or other unintended behavior in the NFS server.

Reproduction

The vulnerability can be reproduced by sending a correctly-formed RPC Call header within an excessively large RPC record to an NFSv3 server over TCP. This will cause the server's send buffer to shrink, creating a buffer overflow condition during the READDIR operation.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the Linux Kernel Git Repository. Instructions for downloading the latest version can be found in the repository's release notes.