Linux Kernel Cred Reference Leak Vulnerability in NFSD Netlink Listener Command

A vulnerability exists in the Linux kernel's NFS server (NFSD) implementation, specifically within the netlink listener command handling. The issue arises because the function 'nfsd_nl_listener_set_doit()' improperly manages credential references by using 'get_current_cred()' without a corresponding 'put_cred()' call. This oversight creates a reference leak, as the function retains an unnecessary reference to the current credentials. Although 'nfsd_nl_listener_set_doit()' operates in the process context where the credentials are stable, the correct approach is to use 'current_cred()' instead. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability leads to a credential reference leak, which can cause memory management issues by improperly retaining references that are no longer needed.

Reproduction

The vulnerability can be reproduced by invoking the 'nfsd_nl_listener_set_doit()' function within the NFS server's netlink command handling. This function will use 'get_current_cred()' to obtain the current credentials without releasing the reference, creating a leak. The issue can be observed by monitoring the credential reference counts before and after the function call, which will show that the reference count has increased without a corresponding decrease.

Remediation

The vulnerability has been addressed by modifying the 'nfsd_nl_listener_set_doit()' function to use 'current_cred()' instead of 'get_current_cred()'. Users should upgrade to the latest version of the Linux kernel where this patch is applied.