Linux Kernel NFSv4.0 LOCK Replay Cache Heap Overflow Vulnerability

A heap overflow vulnerability has been identified in the Linux kernel's NFSv4.0 LOCK replay cache. The issue arises because the replay cache uses a fixed 112-byte buffer to store encoded operation responses. This buffer size, calculated based on OPEN responses, does not accommodate LOCK denied responses, which can include a conflicting lock owner's variable-length field of up to 1024 bytes. When a LOCK operation is denied due to a conflict with an existing lock with a large owner, the encoding function copies the full response into the undersized buffer without proper bounds checking. This oversight leads to a slab-out-of-bounds write of up to 944 bytes, corrupting adjacent heap memory. The vulnerability can be exploited remotely by an unauthenticated attacker using two cooperating NFSv4.0 clients: one sets a lock with a large owner string, while the other requests a conflicting lock to trigger the denial.

Impact

Exploitation of this vulnerability causes a heap overflow, leading to a slab-out-of-bounds write that can corrupt adjacent heap memory.

Reproduction

To reproduce this vulnerability, use two NFSv4.0 clients. First, have one client set a lock with a large owner string, close to 1024 bytes. Then, use the second client to request a conflicting lock, which will provoke a denial response. The denial will trigger the vulnerable behavior, causing the heap overflow by writing the oversized response into the fixed-size buffer.

Remediation

Users can apply the patch included in the upstream commit 5133b61aaf437e5f25b1b396b14242a6bb0508e2 to address this vulnerability.