Linux Kernel pNFS Block/SCISI Layout Uninitialized Pointer Dereference Vulnerability

A vulnerability in the Linux kernel's pNFS block layout handling can lead to a denial-of-service condition. The issue arises in the 'ext_tree_prepare_commit' function, where the 'layoutupdate_pages' array is not properly initialized before being used. This can cause the function to dereference uninitialized pointers, leading to potential memory corruption. Additionally, the vulnerability allows clients to create layout commits larger than the maximum RPC size accepted by the server, further exacerbating the issue.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition by leading to a crash or unresponsive state of the system.

Reproduction

The vulnerability can be reproduced by filling a large file without preallocating extents, which causes the 'ext_tree_prepare_commit' function to repeatedly attempt to encode extents with an insufficiently sized buffer. This process can be monitored by observing the 'layoutupdate_pages' array, which will show that uninitialized pointers are being dereferenced, creating a risk of memory corruption.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.