Linux Kernel NFS Reply Cache Statistics NULL Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's NFS server implementation can lead to a NULL pointer dereference. This issue arises because the initialization of per-network, per-CPU reply cache statistics counters was moved to the NFS server startup process, without properly accounting for the statistics counters. As a result, an unprivileged user can trigger a crash by accessing the reply cache statistics file in the proc filesystem while the NFS server is not running. This vulnerability affects non-x86_64 architectures, such as aarch64, and has been identified as a regression.

Impact

Exploitation of this vulnerability causes a user-triggerable crash by dereferencing a NULL pointer, leading to a system error.

Reproduction

To reproduce this vulnerability, ensure that the NFS server is not running in the current network namespace and that the proc filesystem is mounted with NFS support. An unprivileged user can then access the reply cache statistics file, which will trigger the NULL pointer dereference and cause a system crash.

Remediation

The vulnerability has been addressed by moving the initialization of the reply cache statistics counters back to the NFS server initialization function, ensuring that the counters are properly set up before they are accessed.