CVE-2023-54276 (GCVE-0-2023-54276)
Vulnerability from cvelistv5
Published
2025-12-30 12:16
Modified
2025-12-30 12:16
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net Commit f5f9d4a314da ("nfsd: move reply cache initialization into nfsd startup") moved the initialization of the reply cache into nfsd startup, but didn't account for the stats counters, which can be accessed before nfsd is ever started. The result can be a NULL pointer dereference when someone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still shut down. This is a regression and a user-triggerable oops in the right situation: - non-x86_64 arch - /proc/fs/nfsd is mounted in the namespace - nfsd is not started in the namespace - unprivileged user calls "cat /proc/fs/nfsd/reply_cache_stats" Although this is easy to trigger on some arches (like aarch64), on x86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the fixed_percpu_data. That struct looks just enough like a newly initialized percpu var to allow nfsd_reply_cache_stats_show to access it without Oopsing. Move the initialization of the per-net+per-cpu reply-cache counters back into nfsd_init_net, while leaving the rest of the reply cache allocations to be done at nfsd startup time. Kudos to Eirik who did most of the legwork to track this down.
References
Impacted products
Vendor Product Version
Linux Linux Version: 4e18b58b106e34ac69d3052dd91f520bd83cf2fc
Version: 70fdee548c036c6bdb496f284c9e78f1654b6dd0
Version: e7e571ed4ec7bb50136233d8e7b986efef2af8c1
Version: f5f9d4a314da88c0a5faa6d168bf69081b7a25ae
Version: f5f9d4a314da88c0a5faa6d168bf69081b7a25ae
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/cache.h",
            "fs/nfsd/nfscache.c",
            "fs/nfsd/nfsctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3025d489f9c8984d1bf5916c4a20097ed80fca5c",
              "status": "affected",
              "version": "4e18b58b106e34ac69d3052dd91f520bd83cf2fc",
              "versionType": "git"
            },
            {
              "lessThan": "8549384d0f65981761fe2077d04fa2a8d37b54e0",
              "status": "affected",
              "version": "70fdee548c036c6bdb496f284c9e78f1654b6dd0",
              "versionType": "git"
            },
            {
              "lessThan": "66a178177b2b3bb1d71e854c5e7bbb320eb0e566",
              "status": "affected",
              "version": "e7e571ed4ec7bb50136233d8e7b986efef2af8c1",
              "versionType": "git"
            },
            {
              "lessThan": "768c408594b52d8531e1a8ab62e5620c19213e73",
              "status": "affected",
              "version": "f5f9d4a314da88c0a5faa6d168bf69081b7a25ae",
              "versionType": "git"
            },
            {
              "lessThan": "ed9ab7346e908496816cffdecd46932035f66e2e",
              "status": "affected",
              "version": "f5f9d4a314da88c0a5faa6d168bf69081b7a25ae",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/cache.h",
            "fs/nfsd/nfscache.c",
            "fs/nfsd/nfsctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.3"
            },
            {
              "lessThan": "6.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.4.*",
              "status": "unaffected",
              "version": "6.4.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.5",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.4.4",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.5",
                  "versionStartIncluding": "6.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net\n\nCommit f5f9d4a314da (\"nfsd: move reply cache initialization into nfsd\nstartup\") moved the initialization of the reply cache into nfsd startup,\nbut didn\u0027t account for the stats counters, which can be accessed before\nnfsd is ever started. The result can be a NULL pointer dereference when\nsomeone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still\nshut down.\n\nThis is a regression and a user-triggerable oops in the right situation:\n\n- non-x86_64 arch\n- /proc/fs/nfsd is mounted in the namespace\n- nfsd is not started in the namespace\n- unprivileged user calls \"cat /proc/fs/nfsd/reply_cache_stats\"\n\nAlthough this is easy to trigger on some arches (like aarch64), on\nx86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the\nfixed_percpu_data. That struct looks just enough like a newly\ninitialized percpu var to allow nfsd_reply_cache_stats_show to access\nit without Oopsing.\n\nMove the initialization of the per-net+per-cpu reply-cache counters\nback into nfsd_init_net, while leaving the rest of the reply cache\nallocations to be done at nfsd startup time.\n\nKudos to Eirik who did most of the legwork to track this down."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-30T12:16:05.020Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566"
        },
        {
          "url": "https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e"
        }
      ],
      "title": "nfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-54276",
    "datePublished": "2025-12-30T12:16:05.020Z",
    "dateReserved": "2025-12-30T12:06:44.523Z",
    "dateUpdated": "2025-12-30T12:16:05.020Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-54276\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-12-30T13:16:16.537\",\"lastModified\":\"2025-12-31T20:42:43.210\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nnfsd: move init of percpu reply_cache_stats counters back to nfsd_init_net\\n\\nCommit f5f9d4a314da (\\\"nfsd: move reply cache initialization into nfsd\\nstartup\\\") moved the initialization of the reply cache into nfsd startup,\\nbut didn\u0027t account for the stats counters, which can be accessed before\\nnfsd is ever started. The result can be a NULL pointer dereference when\\nsomeone accesses /proc/fs/nfsd/reply_cache_stats while nfsd is still\\nshut down.\\n\\nThis is a regression and a user-triggerable oops in the right situation:\\n\\n- non-x86_64 arch\\n- /proc/fs/nfsd is mounted in the namespace\\n- nfsd is not started in the namespace\\n- unprivileged user calls \\\"cat /proc/fs/nfsd/reply_cache_stats\\\"\\n\\nAlthough this is easy to trigger on some arches (like aarch64), on\\nx86_64, calling this_cpu_ptr(NULL) evidently returns a pointer to the\\nfixed_percpu_data. That struct looks just enough like a newly\\ninitialized percpu var to allow nfsd_reply_cache_stats_show to access\\nit without Oopsing.\\n\\nMove the initialization of the per-net+per-cpu reply-cache counters\\nback into nfsd_init_net, while leaving the rest of the reply cache\\nallocations to be done at nfsd startup time.\\n\\nKudos to Eirik who did most of the legwork to track this down.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/3025d489f9c8984d1bf5916c4a20097ed80fca5c\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/66a178177b2b3bb1d71e854c5e7bbb320eb0e566\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/768c408594b52d8531e1a8ab62e5620c19213e73\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/8549384d0f65981761fe2077d04fa2a8d37b54e0\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ed9ab7346e908496816cffdecd46932035f66e2e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.