CVE-2024-56740

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to memory corruption that can occur due to NFSv3 LOCALIO reads leaving garbage in res.replen. This happens when nfs3 read done() copies the value into server->read hdrsize, which is then copied to args.replen in new requests by nfs3 proc read setup(). The value is passed to rpc prepare reply pages(), included in hdrsize for xdr init pages, resulting in rq rcv buf containing a ridiculous length. This is eventually copied to rq private buf and passed to sock recvmsg(), which receives incoming data into the wrong place. The issue can be easily reproduced with NFSv3 LOCALIO servicing reads when it is made to pivot back to using normal RPC, such as when the NFSv3 server is stopped and then restarted while LOCALIO is performing heavy read IO.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.