Olga Kornievskaia

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue concerns the initialization of the struct nfsd4 copy in the Linux kernel's NFSD component. Specifically, the refcount and async copies fields must be initialized early to prevent potential issues, such as a refcount underflow, when the cleanup async copy() function references these fields in case of an error in nfsd4 copy(). Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the NFSD component in the Linux kernel. Specifically, the error flow in `nfsd4 copy()` calls `cleanup async copy()`, which already decrements `nn->pending async copies`. This indicates a problem with the handling of asynchronous copies in the kernel. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: The issue arises when multiple FREE STATEIDs are sent for the same delegation stateid, potentially leading to use-after-free or counter refcount underflow errors. This occurs because the code drops the client lock before calling `nfs4 put stid()`, allowing another FREE STATE to find the stateid again, which can result in freeing the stateid and causing either use-after-free or decrementing an already zeroed counter. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's nfsd component, where a panic can occur when handling closed files in nfs4 show open. Prior to a specific commit, the states show function relied on the sc type field being of a valid type before calling a subfunction to show content of a particular stateid. After the commit, the validity of the stateid was split into sc status, and sc type was no longer changed to 0 while unhashing the stateid. This resulted in kernel oopsing for nfsv4.0 opens that stay around, and in nfs4 show open, it would dereference sc file, which was NULL. To reproduce, one can mount the server with 4.0, read and close a file, and then on the server, cat /proc/fs/nfsd/clients/2/states. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.8.0-rc6+ **Description** The vulnerability is related to the SUNRPC module in the Linux kernel, specifically with the TCP TLS functionality. A missing rpc stat for TCP TLS can cause a kernel NULL pointer dereference when mounting with xprtsec=tls, leading to a kernel oops. The issue arises from a commit that added functionality to specify rpc stats function but missed adding it to the TCP TLS functionality. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the SUNRPC vulnerability, which adds the missing rpc stat for TCP TLS. Ensure that the updated kernel version is compatible with your system and configuration.