CVE-2023-53360

I found that the read code might send multiple requests using the same nfspgioheader, but nfs4procreadsetup() is only called once. This is how we ended up occasionally double-freeing the scratch buffer, but also means we set a NULL pointer but non-zero length to the xdr scratch buffer. This results in an oops the first time decoding needs to copy something to scratch, which frequently happens when decoding READPLUS hole segments.

I fix this by moving scratch handling into the pageio read code. I provide a function to allocate scratch space for decoding read replies, and free the scratch buffer when the nfspgioheader is freed.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

886959f425b6a936a30b82a297ae3aecb3b8230f

Fixed

adac9f0ddd2b291c7ce41f549fdb27a13616cff5

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fbd2a05f29a95d5b42b294bf47e55a711424965b

Fixed

a2f4cb206bd94b3f4a7bb05fcdce9525283b5681

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fbd2a05f29a95d5b42b294bf47e55a711424965b

Fixed

ae5d5672f1db711e91db6f52df5cb16ecd8f5692

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

fbd2a05f29a95d5b42b294bf47e55a711424965b

Fixed

303a78052091c81e9003915c521fdca1c7e117af

Affected versions

v6.*

v6.3

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.4.1

v6.4.10

v6.4.11

v6.4.12

v6.4.13

v6.4.14

v6.4.15

v6.4.2

v6.4.3

v6.4.4

v6.4.5

v6.4.6

v6.4.7

v6.4.8

v6.4.9

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.5.1

v6.5.2

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.4.0

Fixed

6.4.16

Type: ECOSYSTEM
Events: Introduced

6.5.0

Fixed

6.5.3