CRITICAL
nfs-rdma PageOffset Overflow
CVE-2025-68811
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
01Description
In the Linux kernel, the following vulnerability has been resolved: svcrdma: use rc_pageoff for memcpy byte offset svc_rdma_copy_inline_range added rc_curpage (page index) to the page base instead of the byte offset rc_pageoff. Use rc_pageoff so copies land within the current page. Found by ZeroPath (https://zeropath.com)
02KernelScan AI Analysis
Risk summary
Remote attackers can trigger kernel memory corruption in NFS-over-RDMA servers by sending malformed requests. This can lead to system crashes or potentially code execution in kernel context.
Vulnerability analysis
The vulnerability occurs in svc_rdma_copy_inline_range() where rc_curpage (page index) was incorrectly used as a byte offset instead of rc_pageoff. This causes memcpy to write data to an incorrect offset within the destination page, and in certain cases (e.g., when rc_pageoff is 0 and rc_curpage is non-zero) can write a small bounded number of bytes past the page boundary into adjacent kernel memory. The bug was introduced during code refactoring that moved page tracking fields. The fix corrects the memcpy destination calculation to use the proper byte offset field. Attack surface is network-exposed NFS-over-RDMA services.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.64 | e8623e9c451e |
| 6.18 | 6.18.3 | 2a77c8dd49bc |
| mainline | 6.19 | a8ee9099f306 |