RHEL7: NFS4 client crashes with memory corruption on the adjusted max_rqst_sz circumstance.(CVE-2020-10742)

Issue

• CVE-2020-10742
• NFS client kernel crashes with memory corruption:

[ 1158.976210] general protection fault: 0000 [#1] SMP 
[ 1158.976258] Modules linked in: rpcsec_gss_krb5 nfsv4 dns_resolver nfs fscache stap_4e813b501609e0a3e00c1bef70a691f1_2064(OE) bonding snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq iosf_mbi ppdev crc32_pclmul ghash_clmulni_intel aesni_intel snd_seq_device snd_pcm lrw gf128mul snd_timer sg snd glue_helper ablk_helper pcspkr soundcore cryptd virtio_balloon parport_pc joydev parport i2c_piix4 nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c sr_mod cdrom ata_generic pata_acpi virtio_console virtio_blk qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crct10dif_pclmul crct10dif_common libata drm e1000 crc32c_intel serio_raw floppy virtio_pci i2c_core virtio_ring virtio
[ 1158.976881] CPU: 1 PID: 291 Comm: kworker/1:2 Kdump: loaded Tainted: G           OE  ------------   3.10.0-862.9.1.el7.x86_64 #1
[ 1158.976952] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.9.1-1.fc24 04/01/2014
[ 1158.977042] Workqueue: rpciod rpc_async_schedule [sunrpc]
[ 1158.977080] task: ffff9c21b6319fa0 ti: ffff9c21b6a90000 task.ti: ffff9c21b6a90000
[ 1158.977126] RIP: 0010:[<ffffffff9aff8123>]  [<ffffffff9aff8123>] kmem_cache_alloc_node+0xd3/0x200
[ 1158.977187] RSP: 0018:ffff9c21b6a93a50  EFLAGS: 00010246
[ 1158.977221] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 000000000000fd84
[ 1158.977265] RDX: 000000000000fd83 RSI: 0000000000000020 RDI: 000000000001bb20
[ 1158.977309] RBP: ffff9c21b6a93a90 R08: ffff9c21fdd1bb20 R09: ffff9c21fd801600
[ 1158.977354] R10: ffffffff9b3d7ded R11: 0000000000000000 R12: 001fffff0008007c
[ 1158.977419] R13: 0000000000000020 R14: 00000000ffffffff R15: ffff9c21fd801600
[ 1158.977465] FS:  0000000000000000(0000) GS:ffff9c21fdd00000(0000) knlGS:0000000000000000
[ 1158.977525] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1158.977573] CR2: 00007f6543b6c000 CR3: 0000000028c6a000 CR4: 00000000000406e0
[ 1158.977622] Call Trace:
[ 1158.977648]  [<ffffffff9b3d7ded>] __alloc_skb+0x5d/0x2d0
[ 1158.977686]  [<ffffffff9b443382>] sk_stream_alloc_skb+0x52/0x1b0
[ 1158.977726]  [<ffffffff9b44f953>] tcp_fragment+0x53/0x2c0
[ 1158.977763]  [<ffffffff9b450fcf>] tcp_write_xmit+0x28f/0xd00
[ 1158.977800]  [<ffffffff9b451d80>] tcp_push_one+0x30/0x40
[ 1158.977835]  [<ffffffff9b4437de>] tcp_sendpage+0x2fe/0x5c0
[ 1158.977872]  [<ffffffff9b46f690>] ? inet_sendmsg+0xb0/0xb0
[ 1158.977908]  [<ffffffff9b46f700>] inet_sendpage+0x70/0xe0
[ 1158.977956]  [<ffffffffc069f235>] xs_sendpages+0x135/0x200 [sunrpc]
[ 1158.978042]  [<ffffffffc06a0b31>] xs_tcp_send_request+0x91/0x220 [sunrpc]
[ 1158.978094]  [<ffffffffc069d17b>] xprt_transmit+0x6b/0x330 [sunrpc]
[ 1158.978140]  [<ffffffffc0698f50>] call_transmit+0x1d0/0x2c0 [sunrpc]
[ 1158.978185]  [<ffffffffc0698d80>] ? call_decode+0x880/0x880 [sunrpc]
[ 1158.978230]  [<ffffffffc0698d80>] ? call_decode+0x880/0x880 [sunrpc]
[ 1158.978277]  [<ffffffffc06a6369>] __rpc_execute+0x99/0x420 [sunrpc]
[ 1158.978330]  [<ffffffff9b5139fc>] ? __schedule+0x41c/0xa20
[ 1158.978386]  [<ffffffffc06a6702>] rpc_async_schedule+0x12/0x20 [sunrpc]
[ 1158.978455]  [<ffffffff9aeb35ef>] process_one_work+0x17f/0x440
[ 1158.978492]  [<ffffffff9aeb4686>] worker_thread+0x126/0x3c0
[ 1158.978541]  [<ffffffff9aeb4560>] ? manage_workers.isra.24+0x2a0/0x2a0
[ 1158.978594]  [<ffffffff9aebb621>] kthread+0xd1/0xe0
[ 1158.980125]  [<ffffffff9aebb550>] ? insert_kthread_work+0x40/0x40
[ 1158.981690]  [<ffffffff9b5205f7>] ret_from_fork_nospec_begin+0x21/0x21
[ 1158.983308]  [<ffffffff9aebb550>] ? insert_kthread_work+0x40/0x40
[ 1158.984753] Code: 8b 5d 08 66 66 66 66 90 48 83 c4 18 4c 89 e0 5b 41 5c 41 5d 41 5e 41 5f 5d c3 66 0f 1f 44 00 00 49 63 41 20 48 8d 4a 01 49 8b 39 <49> 8b 1c 04 4c 89 e0 65 48 0f c7 0f 0f 94 c0 84 c0 0f 84 5a ff 
[ 1158.987804] RIP  [<ffffffff9aff8123>] kmem_cache_alloc_node+0xd3/0x200
[ 1158.989238]  RSP <ffff9c21b6a93a50>