Linux Kernel NFSD Network Reference Vulnerability in Exports File Descriptor Handling

A vulnerability exists in the Linux kernel's NFS server (NFSD) related to the management of network namespaces for the /proc/fs/nfs/exports file descriptor. The issue arises because the exports_proc_open() function captures the current network namespace but does not hold a reference to it. If the namespace is later destroyed, NFSD attempts to clean up by freeing cached data, which can lead to dereferencing a freed memory area. This vulnerability can be exploited by keeping an exports file descriptor open while manipulating network namespaces, causing NFSD to access invalid memory.

Impact

Exploitation of this vulnerability can lead to use-after-free conditions, allowing for potential arbitrary code execution or memory corruption.

Reproduction

To reproduce this vulnerability, open a /proc/fs/nfs/exports file descriptor and then change the network namespace. This can be done using the setns() system call to switch to a different namespace. After the namespace change, the NFS server will attempt to read from the still-open file descriptor, which will cause it to access freed memory, leading to a use-after-free vulnerability.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version where this issue has been fixed.