Linux Kernel NFSD Credential Reference Leak Vulnerability

A memory leak vulnerability has been identified in the Linux kernel's NFSD (NFS daemon) component, specifically within the 'nfsd_nl_threads_set_doit()' function. This vulnerability arises because 'nfsd_nl_threads_set_doit()' passes a reference to the current credentials to 'nfsd_svc()' without subsequently releasing it, leading to a leaked reference. The leaked credential is eventually passed to '_svc_xprt_create()', which retrieves the credential for the service transport structure, but the ownership of the reference count is not properly managed, resulting in a memory leak. This issue was reported by syzbot and has been fixed by modifying 'nfsd_nl_threads_set_doit()' to use 'current_cred()' instead of 'get_current_cred()'.

Impact

Exploitation of this vulnerability leads to a memory leak of credential structures, which can accumulate and potentially cause memory exhaustion over time.

Reproduction

The vulnerability can be reproduced by invoking the 'nfsd_nl_threads_set_doit()' function, which is called from 'sendmsg()' in the context of a netlink command. This function passes 'get_current_cred()' to 'nfsd_svc()', creating a reference to the current credentials that is not released, causing a memory leak. This can be observed using the 'kmemleak' feature, which reports unreferenced objects, including the leaked credential structure.

Remediation

Users can upgrade to the latest stable version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.