Question about CVE-2022-24448

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Trond and Tao,

I have some question about CVE-2022-24448[1].

It's description as:
  An issue was discovered in fs/nfs/dir.c in the Linux kernel before 5.16.5.
  If an application sets the O_DIRECTORY flag, and tries to open a regular
  file, nfs_atomic_open() performs a regular lookup. If a regular file is
  found, ENOTDIR should occur, but the server instead returns uninitialized
  data in the file descriptor.

It's fixed by ac795161c936 ("NFSv4: Handle case where the lookup of a directory fails")

When try to open a regular file with O_DIRECTORY flag,
it always return -ENOTDIR to userspace rather than a
valid file descriptor because the 'do_open' check the
dentry type.

My questions are:
1. which uninitialized data in the file description are returned from 'nfs_atomic_open'?
2. where use the uninitialized data?
3. which uninitialized data are returned from server?
4. is there a PoC reproducer or how to trigger it?


[1] https://nvd.nist.gov/vuln/detail/CVE-2022-24448
[Index of Archives]     [Linux Filesystem Development]     [Linux USB Development]     [Linux Media Development]     [Video for Linux]     [Linux NILFS]     [Linux Audio Users]     [Yosemite Info]     [Linux SCSI]

  Powered by Linux