CVE-2024-56779 - Memory Leak in Linux Kernel’s NFSv4 openowner Handling - Details & Exploitation

Summary:
CVE-2024-56779 marks a critical resource leak in the Linux kernel’s NFS (Network File System) server, specifically in the handling of NFSv4 openowners during simultaneous file open and forced umount actions. This issue is fixed in newer kernel versions, but understanding the bug is vital for sysadmins and security researchers.

What is CVE-2024-56779?

CVE-2024-56779 is a vulnerability in the Linux kernel (found in versions up to v6.12-rc6+) within the NFS server daemon (nfsd). When a forceful unmount (umount -f) is triggered alongside NFSv4 file open operations hitting the server, improper cleanup occurs. This leads to memory leaks of critical structures: nfs4_openowner, nfsd_file, and nfsd_file_mark.

Memory allocation objects are *leaked*, and not reclaimed even after NFS service shutdown.

- Potential kernel warnings (BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown()) occur.

Client’s Thread 1:

The operation fails, but (due to kernel retry logic), it re-attempts to open the file, possibly leading the server to allocate a *new* nfs4_openowner.

Simultaneously, the server’s nfsd threads see inconsistent object states — unconfirmed owners are released before being associated, so linked objects like stateids and file structures are never freed.

Server Race Example (simplified pseudo-sequence)

nfsd4_open {
    // Server Thread 1
    oo1 = find_or_alloc_open_stateowner(); // alloc oo1, stateid1
    ... (work interrupted by umount -f)

    // Server Thread 2 (in parallel)
    oo1 = find_or_alloc_open_stateowner(); // finds oo1, not confirmed, releases
    alloc_stateowner(); // alloc oo2
}

Proof-of-Concept: Triggering the Leak

Below is a simplified sketch for reproducing the bug by simultaneously opening files and forcing unmounts on an NFS share.

# On Client A: NFS mount point is /mnt/nfs
# Terminal 1: continuous file opens
while true; do
    cat /mnt/nfs/testfile >/dev/null
done

# Terminal 2: loop forcibly unmounting
while true; do
    umount -f /mnt/nfs
    sleep 1
    mount -t nfs4 <nfs-server>:/export /mnt/nfs
done

On the server, examine dmesg logs for nfsd-related warnings like

BUG nfsd_file (Not tainted): Objects remaining in nfsd_file on __kmem_cache_shutdown()
...
nfsd_file_slab: objects=34 used=1 ...

Root Cause: Code Walkthrough

In the server code, the find_or_alloc_open_stateowner and release_openowner functions interact poorly under concurrency:

struct nfs4_openowner *find_or_alloc_open_stateowner(...) {
    ...
    if (!confirmed) {
        release_openowner(oo);
        // oo isn't hashed/freed properly; further leak follows
    }
    ...
}

When a confirmed owner isn’t found, the unconfirmed object is simply dropped, and other linked kernel memory objects (file marks, stateid, etc) are orphaned and never released.

Impact & Exploitability

While this vulnerability does not allow privilege escalation by itself, it is exploitable for Denial-of-Service (DoS):

Attackers with NFS client access can cause unbounded kernel memory growth.

- Servers under frequent forced unmounts and file operations risk being OOM-killed or becoming unstable.

Fix:

The upstream commit ensures proper cleanup and reference counting for nfs4_openowner and its associated objects in concurrent scenarios.

Relevant Patch

- if (!confirmed) {
-     release_openowner(oo);
-     oo = alloc_stateowner(...);
- }
+ if (!confirmed) {
+     properly_unref_and_release(oo_and_friends);
+     oo = alloc_stateowner(...);
+ }

*(Note: Actual code is more complex. This is simplified for illustration.)*

References

- Linux kernel commit fixing the bug
- Patch discussion on linux-nfs mailing list
- Linux NFSd source code

Summary

- CVE-2024-56779 is a race-condition-driven kernel memory leak in NFSv4 server’s openowner management.
- Exploitation: Client-side forced unmounts + rapid file open requests, especially in busy or adversarial environments.
- Solution: Patch your kernel if you run NFSv4. Monitor for lingering objects and update as soon as vendor patches are available.


> Stay safe! Always update NFS servers running on Linux kernels. This exclusive breakdown simplifies a tricky race that could quietly destabilize your storage servers.


Need help checking your system? [Check for kernel warnings, or look at /proc/slabinfo for growing nfsd-related objects! Edit your NFS server configuration to minimize untrusted client access.

Timeline

Published on: 01/08/2025 18:15:18 UTC
Last modified on: 01/09/2025 21:48:56 UTC