Linux Kernel NFSv4.2 READ_PLUS Scratch Buffer Double-Free Vulnerability

A vulnerability in the Linux kernel's NFSv4.2 implementation can lead to a double-free error in the scratch buffer used for read operations. This issue arises because the read code can send multiple requests with the same nfs_pgio_header, while the setup function is only called once. As a result, the scratch buffer may be double-freed or, conversely, a NULL pointer with a non-zero length can be sent to the xdr scratch buffer. This discrepancy causes a kernel oops the first time decoding attempts to write to the scratch buffer, a common occurrence when handling READ_PLUS hole segments. The vulnerability affects several versions of the Linux kernel.

Impact

The vulnerability can cause a kernel oops, indicating a serious error that can lead to a system crash or instability.

Reproduction

The vulnerability can be reproduced by sending multiple NFSv4.2 READ_PLUS requests using the same nfs_pgio_header. This can be done by initiating a read operation that triggers the vulnerability, such as one that involves READ_PLUS hole segments, which are known to cause the scratch buffer handling issue.

Remediation

Users can upgrade to the patched version of the Linux kernel, which is available in the Linux kernel stable tree. Instructions for downloading the updated kernel can be found in the Linux kernel documentation.