CVE-2024-56740
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-56740
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-56740.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-56740
- Downstream
- Published
- 2024-12-29T11:30:09.180Z
- Modified
- 2025-12-05T07:59:16.899107Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- nfs/localio: must clear res.replen in nfs_local_read_done
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
nfs/localio: must clear res.replen in nfslocalread_done
Otherwise memory corruption can occur due to NFSv3 LOCALIO reads leaving garbage in res.replen: - nfs3readdone() copies that into server->readhdrsize; from there nfs3procreadsetup() copies it to args.replen in new requests. - nfs3xdrencread3args() passes that to rpcpreparereplypages() which includes it in hdrsize for xdrinitpages, so that rqrcvbuf contains a ridiculous len. - This is copied to rqprivatebuf and xsreadstreamrequest() eventually passes the kvec to sockrecvmsg() which receives incoming data into entirely the wrong place.
This is easily reproduced with NFSv3 LOCALIO that is servicing reads when it is made to pivot back to using normal RPC. This switch back to using normal NFSv3 with RPC can occur for a few reasons but this issue was exposed with a test that stops and then restarts the NFSv3 server while LOCALIO is performing heavy read IO.
- Database specific
{ "cna_assigner": "Linux", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56740.json" }- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/650703bc4ed3edf841e851c99ab8e7ba9e5262a3
- https://git.kernel.org/stable/c/de5dac261eeab99762bbdf7c20cee5d26ef4462e
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/56xxx/CVE-2024-56740.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-56740