Re: [BUG] Linux Kernel NFS Server refcount_t Underflow in nfs3svc_release_getacl (S→C)

Next message: Marco Elver: "Re: [PATCH v1] slab: support for compiler-assisted type-based slab cache partitioning"
Previous message: Willy Tarreau: "Re: [PATCH 2/3] Documentation: explain how to find maintainers addresses for security reports"
In reply to: ven0mfuzzer: "[BUG] Linux Kernel NFS Server refcount_t Underflow in nfs3svc_release_getacl (S→C)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Thu Apr 02 2026 - 15:06:58 EST

On Thu, Apr 2, 2026, at 7:05 AM, ven0mfuzzer wrote:
> Linux Kernel NFS Server refcount_t Underflow in nfs3svc_release_getacl (S→C)
>
> 1. Vulnerability Title
>
> Linux Kernel NFS Server (nfsd) refcount_t Underflow via Malicious
> GETACL Request with Corrupted File Handle

The described mechanism -- a refcount underflow from fh_put on an
uninitialized handle -- cannot occur because the SunRPC layer
zero-initializes the response buffer and fh_put() guards all
refcount operations behind NULL checks.

--
Chuck Lever