Linux Kernel NFS Refcount Leak Vulnerability in nfsd_set_fh_dentry()

A refcount leak vulnerability has been identified in the Linux kernel's NFS server component (nfsd). This issue arises in the function nfsd_set_fh_dentry(), which handles filehandles for NFSv4 clients. NFSv3 clients do not have access to the pseudo root filesystem used by NFSv4, but if they mistakenly use a filehandle from that filesystem, the function will report an error. However, it still stores the export information in 'struct svc_fh' while dropping the reference count, leading to an extra reference being released when fh_put() is called. This can cause a use-after-free condition, potentially allowing for a denial-of-service attack. The vulnerability can only be triggered by an NFSv3 or v2 client that artificially creates an incorrect filehandle.

Impact

Exploitation of this vulnerability can cause a use-after-free condition, which may lead to memory corruption and a denial-of-service situation.

Reproduction

To reproduce this vulnerability, an NFSv3 or v2 client must be configured to use a filehandle from the NFS server's pseudo root filesystem, which is normally inaccessible to these clients. This can be done by synthesizing an incorrect filehandle that references the pseudo root, then using it in a request to the NFS server.

Remediation

The vulnerability has been fixed in the Linux kernel. Users should upgrade to the latest version.