CVE-2024-56740

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-56740
In the Linux kernel, the following vulnerability has been resolved: nfs/localio: must clear res.replen in nfs_local_read_done Otherwise memory corruption can occur due to NFSv3 LOCALIO reads leaving garbage in res.replen: - nfs3_read_done() copies that into server->read_hdrsize; from there nfs3_proc_read_setup() copies it to args.replen in new requests. - nfs3_xdr_enc_read3args() passes that to rpc_prepare_reply_pages() which includes it in hdrsize for xdr_init_pages, so that rq_rcv_buf contains a ridiculous len. - This is copied to rq_private_buf and xs_read_stream_request() eventually passes the kvec to sock_recvmsg() which receives incoming data into entirely the wrong place. This is easily reproduced with NFSv3 LOCALIO that is servicing reads when it is made to pivot back to using normal RPC. This switch back to using normal NFSv3 with RPC can occur for a few reasons but this issue was exposed with a test that stops and then restarts the NFSv3 server while LOCALIO is performing heavy read IO.

7.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/650703bc4ed3edf841e851c99ab8e7ba9e5262a3 Patch
https://git.kernel.org/stable/c/de5dac261eeab99762bbdf7c20cee5d26ef4462e Patch
Configurations

Configuration 1 (hide)

cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
History

07 Jan 2025, 22:24

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: nfs/localio: debe borrar res.replen en nfs_local_read_done De lo contrario, puede producirse corrupción de memoria debido a que las lecturas LOCALIO de NFSv3 dejan basura en res.replen: - nfs3_read_done() copia eso en server->read_hdrsize; desde allí, nfs3_proc_read_setup() lo copia en args.replen en nuevas solicitudes. - nfs3_xdr_enc_read3args() pasa eso a rpc_prepare_reply_pages() que lo incluye en hdrsize para xdr_init_pages, de modo que rq_rcv_buf contiene una longitud ridícula. - Esto se copia a rq_private_buf y xs_read_stream_request() eventualmente pasa el kvec a sock_recvmsg() que recibe datos entrantes en un lugar completamente equivocado. Esto se reproduce fácilmente con NFSv3 LOCALIO, que está prestando servicio a las lecturas, cuando se le obliga a volver a utilizar RPC normal. Este cambio a utilizar NFSv3 normal con RPC puede ocurrir por varias razones, pero este problema se expuso con una prueba que detiene y luego reinicia el servidor NFSv3 mientras LOCALIO realiza operaciones de E/S de lectura pesadas.
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.8
References () https://git.kernel.org/stable/c/650703bc4ed3edf841e851c99ab8e7ba9e5262a3 - () https://git.kernel.org/stable/c/650703bc4ed3edf841e851c99ab8e7ba9e5262a3 - Patch
References () https://git.kernel.org/stable/c/de5dac261eeab99762bbdf7c20cee5d26ef4462e - () https://git.kernel.org/stable/c/de5dac261eeab99762bbdf7c20cee5d26ef4462e - Patch
CPE cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
First Time Linux
Linux linux Kernel
CWE CWE-787

29 Dec 2024, 12:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-29 12:15

Updated : 2025-01-07 22:24

NVD link : CVE-2024-56740

Mitre link : CVE-2024-56740

CVE.ORG link : CVE-2024-56740

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-787

Out-of-bounds Write