CVE-2021-46952 - NFS: fs_context: Validate UDP Retrans to Prevent Shift Out-of-Bounds in Linux Kernel

A significant vulnerability has been discovered and resolved in the Linux kernel, specifically within the Network File System (NFS) fs_context module. This vulnerability, dubbed as CVE-2021-46952, occurs due to improper validation of the UDP retrans value leading to a shift out-of-bounds in the xprt_calc_majortimeo() function. In simpler terms, it means that an attacker could potentially exploit this vulnerability to cause unpredictable system behavior or crashes.

The origin of this vulnerability can be traced to an invalid timeout (retrans) value being passed to the NFS mount, initially spotted by the syzkaller fuzzer. The subsequent fix ensures that the retrans value is adequately validated to avoid any possible out-of-bounds shift.

To better understand the issue and the applied fix, let's delve deeper into the code snippets, exploit details, and relevant references.

The following code snippet shows the fix introduced to validate the UDP retrans value

diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 59d3f74c9d45..40109931efd3 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -365,6 +365,10 @@ static unsigned long xprt_calc_majortimeo(struct rpc_xprt *xprt, unsigned long t
    unsigned long majortimeo = tmo;
    unsigned long max_ntimeo = xprt->max_retries + 1;

+   if (xprt->prot == XPRT_TRANSPORT_UDP && xprt->retrans >= 64)
+           return -EINVAL;
+
    while (--ntimeo) {
            tmo <<= xprt->retrans;
            majortimeo += tmo;

This code snippet ensures that if the transport protocol employed is 'XPRT_TRANSPORT_UDP', the 'retrans' value should not be equal to or greater than 64. If this condition is violated, the mount operation is prevented, and an error is returned.

Exploit Details

To exploit this vulnerability, an attacker would need to pass an invalid retrans value to the NFS mount, which, when not correctly validated, could result in a shift out-of-bounds in the xprt_calc_majortimeo() function. Consequently, this can cause unexpected system behavior or crash. However, with the patch mentioned above, the retrans value is now properly validated, mitigating the risk of exploitation.

Original References

1. Bug report discovered by syzkaller: https://lore.kernel.org/linux-nfs/001a113f47dd32a07309c344e66e88f4@acm.org/T/#t
2. Fix commit in Linux kernel repository: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=40109931efd3213bca59df127433cdfecea2281
3. Detailed explanation of the vulnerability (Linux Kernel Mailing List - LKML): https://lkml.org/lkml/2021/10/27/229

Conclusion

The CVE-2021-46952 vulnerability within the Linux kernel's NFS fs_context module was identified and resolved by validating the UDP retrans value to prevent a shift out-of-bounds scenario. While the vulnerability could have potentially led to system crashes or unexpected behavior, the timely patch ensures that the Linux kernel remains secure against such exploits. It is highly recommended to update your kernel to the latest version to stay protected from this and other security vulnerabilities.

Timeline

Published on: 02/27/2024 19:04:06 UTC
Last modified on: 04/10/2024 20:15:42 UTC