Linux Kernel NFS Client Reference Management Vulnerability in NFSD

A use-after-free vulnerability has been addressed in the Linux kernel's NFS server component (NFSD). The issue arose because the function 'nfsd4_setclientid_confirm()' failed to properly handle the return value from 'get_client_locked()'. This oversight allowed a 'SETCLIENTID_CONFIRM' operation to interfere with the expiration of a confirmed client, potentially leading to a use-after-free condition. The vulnerability has been fixed by ensuring that a reference to the client is obtained early in the process, particularly when a confirmed client is still active. If the reference cannot be obtained, it is treated as if no confirmed client exists. In cases where an unconfirmed client is expiring, the function now simply returns an error, thereby preventing the use-after-free scenario.

Impact

The vulnerability could be exploited to create a use-after-free condition, which may lead to memory corruption and potentially allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by sending a 'SETCLIENTID_CONFIRM' operation while a confirmed client is expiring. The 'nfsd4_setclientid_confirm()' function will not properly manage the client's reference, leading to a use-after-free condition.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed.