CVE-2024-56779: nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur
Description
In the Linux kernel, the following vulnerability has been resolved:
nfsd: fix nfs4_openowner leak when concurrent nfsd4_open occur
The action force umount(umount -f) will attempt to kill all rpc_task even
umount operation may ultimately fail if some files remain open.
Consequently, if an action attempts to open a file, it can potentially
send two rpc_task to nfs server.
NFS CLIENT
thread1 thread2
open("file")
...
nfs4_do_open
_nfs4_do_open
_nfs4_open_and_get_state
_nfs4_proc_open
nfs4_run_open_task
/* rpc_task1 */
rpc_run_task
rpc_wait_for_completion_task
umount -f
nfs_umount_begin
rpc_killall_tasks
rpc_signal_task
rpc_task1 been wakeup
and return -512
_nfs4_do_open // while loop
...
nfs4_run_open_task
/* rpc_task2 */
rpc_run_task
rpc_wait_for_completion_task
While processing an open request, nfsd will first attempt to find or
allocate an nfs4_openowner. If it finds an nfs4_openowner that is not
marked as NFS4_OO_CONFIRMED, this nfs4_openowner will released. Since
two rpc_task can attempt to open the same file simultaneously from the
client to server, and because two instances of nfsd can run
concurrently, this situation can lead to lots of memory leak.
Additionally, when we echo 0 to /proc/fs/nfsd/threads, warning will...
Classification
CVE ID: CVE-2024-56779
Affected Products
Vendor: Linux
Product: Linux
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.04% (probability of being exploited)
EPSS Percentile: 5.07% (scored less or equal to compared to others)
EPSS Date: 2025-02-06 (when was this score calculated)
References
https://git.kernel.org/stable/c/a85364f0d30dee01c5d5b4afa55a9629a8f36d8ehttps://git.kernel.org/stable/c/2d505a801e57428057563762f67a5a62009b2600
https://git.kernel.org/stable/c/0ab0a3ad24e970e894abcac58f85c332d1726749
https://git.kernel.org/stable/c/45abb68c941ebc9a35c6d3a7b08196712093c636
https://git.kernel.org/stable/c/37dfc81266d3a32294524bfadd3396614f8633ee
https://git.kernel.org/stable/c/6f73f920b7ad0084373e46121d7ac34117aed652
https://git.kernel.org/stable/c/98100e88dd8865999dc6379a3356cd799795fe7b