CVE-2019-20426

Vulnerability

The Lustre file system's ptlrpc module, in versions before 2.12.3, contains an out-of-bounds access vulnerability in the function ldlm_cancel_hpreq_check. This function fails to validate the lock_count field in incoming client packets, leading to a kernel NULL pointer dereference and subsequent system panic. The issue was identified as LU-12614 and is described as a lack of validation for specific fields of packets sent by a client [1][2].

Exploitation

An attacker does not need any prior authentication or special privileges beyond network access to the Lustre target. By sending a crafted packet with an invalid lock_count value to a Lustre server (e.g., an OST or MDS), the attacker can trigger the unvalidated code path in ldlm_cancel_hpreq_check. This causes a NULL pointer dereference when the kernel attempts to access memory based on the attacker-supplied count, resulting in a denial-of-service condition [2].

Impact

Successful exploitation causes a kernel panic (as shown in the bug report's Oops trace, with a NULL pointer dereference at offset 0x1c) [2]. This immediately crashes the affected Lustre server component, impacting file system availability for all clients connected to that server. The vulnerability is classified as a denial-of-service (availability impact); there is no indication of information disclosure or privilege escalation from the available references.

Mitigation

The vulnerability is fixed in Lustre version 2.12.3 (released January 2020) [1]. The fix adds proper bounds checking for the lock_count field before use. Administrators should upgrade all Lustre server nodes to 2.12.3 or later. There is no workaround identified in the references; the only mitigation is to update. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog.