Linux Kernel NFSv3 Directory Handling Vulnerability in Create Procedure

A vulnerability in the Linux kernel's NFSv3 handling has been addressed. The issue arose in the 'nfs3_proc_create' function, where the system failed to properly manage directory aliases. When a directory alias was encountered, the function did not return an error, leading to a negative dentry being processed in a way that caused a system error. This vulnerability was particularly evident in scenarios where files and directories were created and deleted simultaneously under the same name, causing file operations to mistakenly target directory inodes.

Impact

This vulnerability could lead to a system error (an 'oops') by causing the NFSv3 atomic open process to receive a negative dentry, which is not valid for file operations.

Reproduction

The vulnerability can be reproduced by running the 'lustre-racer' tool, which creates and deletes files and directories concurrently with the same name. It should be noted that the 'O_EXCL' flag is not used when opening files, which leads to frequent file redirection. Under these conditions, the NFSv3 'proc_create' function fails to correctly handle directory aliases, allowing the vulnerability to manifest.

Remediation

Users can update to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the official Linux kernel website.