CVE-2023-54276

Description

CVE-2023-54276 is a NULL-pointer dereference vulnerability in the Linux kernel's NFS NFS daemon (nfsd) reply cache statistics counters. The root cause is a regression introduced by commit f5f9d4a314da, which moved the initialization of the per-CPU reply cache statistics counters out of the network namespace initialization function (nfsd_init_net) into the nfsd startup path. When nfsd is not yet started, these counters remain uninitialized, leading to a NULL-pointer dereference when the /proc/fs/nfsd/reply_cache_stats proc file is read [1][2].

Exploitation

An unprivileged user can trigger the vulnerability by mounting the /proc/fs/nfsd filesystem (if not already mounted) in a network namespace and then reading /proc/fs/nfsd/reply_cache_stats while nfsd is not running in that namespace. On architectures such as aarch64, this results in a user-triggerable kernel oops. On x86_64, the this_cpu_ptr(NULL) call may return a fixed per-CPU data area that resembles a properly initialized struct, potentially masking the crash but leaving the system in an undefined state [1][2].

Impact

A successful exploit allows an unprivileged user to cause a kernel oops (denial of service). The vulnerability is local, requires access to a network namespace with /proc/fs/nfsd mounted, and does not require authentication beyond normal user permissions. The oops can lead to system instability or crash, impacting availability [1][2].

Mitigation

The fix moves the initialization of the per-net+per-CPU reply cache counters back into nfsd_init_net, ensuring the stats structures are allocated and initialized before any proc file access occurs. The rest of the reply cache allocations remain deferred to nfsd startup time. The patch has been applied to the Linux kernel stable trees and is present in versions that include commit 66a178177b2b or 8549384d0f65 [1][2]. Users should update their kernel to incorporate this fix.