The Synopsys Cybersecurity Research Center (CyRC) has identified problems with buffer handling in the Linux kernel NFSD implementation, reported as CVE-2022-43945. The mechanism causing the problem has been in the kernel code for decades and might be exploited in diverse ways depending on the version of the kernel and NFS operation used.
NFSD tracks the number of pages held by each NFSD thread by combining the receive and send buffers of a remote procedure call (RPC) into a single array of pages. Historically, this approach was used to optimize memory usage when no single operation needed a large RPC message and a large RPC reply message at the same time. To achieve shared-buffer functionality, a send buffer must shrink when the received RPC message size increases.
A client can force the send buffer to shrink by sending an RPC message over TCP with garbage data added at the end of the message. The RPC message with garbage data is still correctly formed according to the specification and is passed forward to handlers. Vulnerable code in NFSD is not expecting the oversized request and writes beyond the allocated buffer space.
While investigating the reported vulnerability, other buffer-handling issues in the NFSD code were found and fixed.
The vulnerabilities can be used for a denial-of-service attack at minimum.