Chuck Lever

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns a NULL dereference in the `nfsd4 process cb update()` function. Specifically, the `@ses` variable is initialized to NULL. If the ` nfsd4 find backchannel()` function does not find an available backchannel session, the `setup callback client()` function will attempt to dereference `@ses`, resulting in a segmentation fault. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue was in the mm module, specifically regarding shmem, and was causing deadlocks when accessing tmpfs over NFS. The change was meant to fix a data-race in shmem getattr(), but it was reverted as suggested by Chuck. As Hugh commented, the change was added just to silence a syzbot sanitizer splat, and it was added where there has never been any practical problem. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue concerns the Linux kernel's NFSD, where there is no limit to the number of concurrent async COPY operations that clients can start. Each async COPY can copy an unlimited number of 4MB chunks, potentially running for a long time and becoming a Denial of Service (DoS) vector. A restriction mechanism has been implemented to bound the number of concurrent background COPY operations per namespace. If this limit is exceeded, an async COPY request receives NFS4ERR DELAY, and the client can choose to resend the request after a delay or use a traditional read/write style copy. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the use of `nfs folio length` without proper locking and checks, which can lead to kernel crashes due to truncations. This occurs when running xfstests generic/065 with all nfs trace points enabled. The solution involves passing explicit offset and length to trace events, following the model of XFS trace points, to provide more accurate values. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the SUNRPC module in the Linux kernel, specifically with the function gss free in token pages(). The in token->pages[] array is not NULL terminated, resulting in a potential wild-memory-access issue. This can lead to a denial of service. The vulnerability is associated with insufficient memory allocation for an operation in the gss read proxy verf() function. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A resolved issue in the Linux kernel involves preventing svc rdma build writes() from walking off the end of a Write chunk's segment array, which could lead to RDMA segment overflows in SUNRPC. This issue was identified using KASAN. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the NFSD component of the Linux kernel, specifically with the handling of large file sizes in NFSv3 SETATTR/CREATE procedures. The `iattr::ia size` is a `loff t`, and the procedures must carefully handle incoming client size values that are larger than `s64 max` without corrupting the value. Silently capping the value results in storing a different value than the client passed in, which is unexpected behavior. The fix involves removing the `min t()` check in `decode sattr3()`. According to RFC 1813, only the WRITE procedure should return NFS3ERR FBIG. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to an integer underflow in the NFSD component of the Linux kernel. This underflow occurs because the `ia size` variable, which is a signed 64-bit type, can be assigned a value larger than `S64 MAX` when an NFS client sends a file size value that exceeds the maximum limit handled by Linux. The underflow happens in the `nfsd setattr()` function, which is part of the common code path for both NFSv3 and NFSv4. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.