CVE-2023-54276

Description

In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down.

PUBLISHED Reserved 2025-12-30 | Published 2025-12-30 | Updated 2025-12-30 | Assigner Linux

Product status

References

git.kernel.org/...c/3025d489f9c8984d1bf5916c4a20097ed80fca5c

git.kernel.org/...c/8549384d0f65981761fe2077d04fa2a8d37b54e0

git.kernel.org/...c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566

git.kernel.org/...c/768c408594b52d8531e1a8ab62e5620c19213e73

git.kernel.org/...c/ed9ab7346e908496816cffdecd46932035f66e2e

cve.org (CVE-2023-54276)

nvd.nist.gov (CVE-2023-54276)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.