CVE-2021-47107

NFSD: Fix READDIR buffer overflow

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

NFSD: Fix READDIR buffer overflow

If a client sends a READDIR count argument that is too small (say,
zero), then the buffer size calculation in the new init_dirlist
helper functions results in an underflow, allowing the XDR stream
functions to write beyond the actual buffer.

This calculation has always been suspect. NFSD has never sanity-
checked the READDIR count argument, but the old entry encoders
managed the problem correctly.

With the commits below, entry encoding changed, exposing the
underflow to the pointer arithmetic in xdr_reserve_space().

Modern NFS clients attempt to retrieve as much data as possible
for each READDIR request. Also, we have no unit tests that
exercise the behavior of READDIR at the lower bound of @count
values. Thus this case was missed during testing.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: NFSD: corrige el desbordamiento del búfer READDIR Si un cliente envía un argumento de recuento READDIR que es demasiado pequeño (digamos, cero), entonces el cálculo del tamaño del búfer en las nuevas funciones auxiliares init_dirlist da como resultado un subdesbordamiento, lo que permite que las funciones de flujo XDR escriban más allá del búfer real. Este cálculo siempre ha sido sospechoso. NFSD nunca ha verificado la cordura del argumento de conteo READDIR, pero los codificadores de entrada antiguos manejaron el problema correctamente. Con las confirmaciones a continuación, la codificación de entrada cambió, exponiendo el desbordamiento a la aritmética del puntero en xdr_reserve_space(). Los clientes NFS modernos intentan recuperar la mayor cantidad de datos posible para cada solicitud READDIR. Además, no tenemos pruebas unitarias que ejerzan el comportamiento de READDIR en el límite inferior de los valores @count. Por lo tanto, este caso se pasó por alto durante las pruebas.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-03-04 CVE Reserved
2024-03-04 CVE Published
2024-06-22 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/7f87fc2d34d475225e78b7f5c4eabb121f4282b2	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/eabc0aab98e5218ceecd82069b0d6fdfff5ee885	2021-12-29
https://git.kernel.org/stable/c/53b1119a6e5028b125f431a0116ba73510d82a72	2021-12-18
https://git.kernel.org/stable/c/9e291a6a28d32545ed2fd959a8165144d1724df1	2024-06-21

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.15.12 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.15.12"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.13 < 5.16 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.13 < 5.16"		en		Affected