From nobody Sun May 24 18:41:03 2026 Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 64F3E3CB2DF for ; Fri, 22 May 2026 10:20:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779445250; cv=none; b=ZplZrap48n8jhcmzJYMVbCzum7TxujpOM4nKltDpEGBwi8/IUsvREQgPCiyZXgfI2gzh1zZ9uYv8UOQqte/9s/T5E8dhoH8jrKxXX4rbL6dms6/KfvwrN28/VhxfKIFOThe4DpQNgV7iy6eHUHQQusK1CUpy3MXZNIVwCs7yvLo= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779445250; c=relaxed/simple; bh=CqqfADRIYdy2j/+p5yLnh5aLdmAPFqsu0MNRmXCNItE=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=XvN3MUEenrkFVUoDJL3P6HkfyN+3ZYbXP0EUK6VSbNf2O2tusVIv5HUmrYncd1dcnHgHgSsMatxkJ/CCoI37hq8ZudftrpiJ6jvxB7fE+jAUcms8eKGv3rckyMr58Jr+OsAgdlLYoTI+EOpi16sabQEzRbDVNtG31zKN/1Jkw58= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=AKn6JC0r; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="AKn6JC0r" Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-c802196bd32so628271a12.1 for ; Fri, 22 May 2026 03:20:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1779445248; x=1780050048; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=wGF3BRrejRrTaJFBtcO7t80MSvJtsYjl3QazzV4jG8M=; b=AKn6JC0rJME5dKelu613J4AmnNJeh8RFoPZjk5s7fpJzGNmpFd6rz3zNLP78ewEfPD R0BRTADB8h6LZ6Dju/Sdv2jTfZV7Ho9K45+F7/4dcpU/d89v8H3Y/SM6X+fEZV0L+K97 M4MhlJQrAULo5U0R6CtZpp9wIMgeaVupMdqeASZHa4Ih+jGKGd8mZci4paQ2LGjlSw/M 0N3JxX5nxXMrVTAoZs18ZdDX4+NsYum+0XQrn8OgxYR5bgtP6kd9C91qN7dyibnxcM8Z j5zRAEMZvAO3XQZhgilu3kP24vZmQ8cdZynkR5ZEWpzsHAYhFS794v4dw65YbKudCurX Xp0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779445248; x=1780050048; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=wGF3BRrejRrTaJFBtcO7t80MSvJtsYjl3QazzV4jG8M=; b=LxdJENZwmgzhlzOwYmmOkkkCRF4AP+hMXgSqvL0pxa9bvpcsHIof8u1tZmGgI3Y+ug vi5R9IWJ1H4FMmlZIWMeO4GghzFXtTNWB59D1rfmSuT+guDMwuyMEMUZF5jnmqW7aQtE uCpnSLY3SXdt39VNYcAqSRqP1SIKpq0qQsfhm2IoPD01Dywb4vHzymcs55sHcu1gZvGb XDbxRGzs6J0+mL4hdjP6CBUyTTz/uVZdQuKghI5cGTG8vrmY8K5pswNI9wcYIhNlrSc5 +3LwyRnsIGnG8sGlaHIOdQXZF5qoUvnR4GC+zeAbFagsyrSQFpYNR37ZB11+hxomerJh RMQg== X-Forwarded-Encrypted: i=1; AFNElJ+5Vtc6CdcgP+m/7jWATwAwIn4RLZPB+Jf6O4l0DOSt5B/Bz3ym2JbspwjcxYGu960SLGGDG1Ue5Sz5L8Y=@vger.kernel.org X-Gm-Message-State: AOJu0YzhCjESk9FgzQiM1Wxl1CTBp73ErQwQvbZkoBaTr8vG8HfezYYu 52rTNoOoPwgiGm2TVPKLtUAne8up+XBNCSjjbEaW5buqQg5Fv0UibVq6 X-Gm-Gg: Acq92OF/umqiyXmVYBvMMNldmBuFMj74y5Hkx7vnUhuijglYdc1P+dGVdIf2lXcI9WC 4OsfKw8CdT1hVHyzd1VJR4fe+RcNwGtoSMUrrppeQvochGq+KT/IF2GGjjA3Qs5J1xvcgf2aEnc kHd7fw2/BhfOEDJ00C/czCZpFqCzZc3++fbtx7qBsdla6rvj7tb7ljA8cWBw58h2w6uxuaBHNU9 Sea1EFaJXFabj7LnxbqkatCTXqBnBA5uNtrIVHF7nmimqZTrKkz2iMa0ZJ9syn4BNwkOZuGhd6w IP693xoWig0jp/XOwA0ZW9gNNREqDraXV77j3zts9qe1dmsKE1vmUgjRJhMYqjBgec89HOs4R5w jP9SVxJhWjU28R6I5ORoXP+0Bl2kbySQJxkur8xZ3deIBI0yuq13OQphRy7EWZdrToyN5b5v/ci VFQhl9PNOXpevUo4VIUw== X-Received: by 2002:a05:6a20:5481:b0:3a0:b812:3a84 with SMTP id adf61e73a8af0-3b328ce6862mr1642445637.1.1779445247567; Fri, 22 May 2026 03:20:47 -0700 (PDT) Received: from kali ([2402:e280:3d7c:a2:536a:b505:93f5:9d5d]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-84164ea09a9sm1881827b3a.31.2026.05.22.03.20.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 May 2026 03:20:46 -0700 (PDT) From: Pavitra Jha To: idryomov@gmail.com Cc: amarkuze@redhat.com, slava@dubeyko.com, ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, Pavitra Jha Subject: [PATCH v2] ceph: fix OOB read in decode_watchers() via missing bounds check Date: Fri, 22 May 2026 06:19:32 -0400 Message-ID: <20260522101932.304458-1-jhapavitra98@gmail.com> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260521140807.204657-1-jhapavitra98@gmail.com> References: <20260521140807.204657-1-jhapavitra98@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" ceph_start_decoding() validates that struct_len bytes remain in the buffer after the encoding header, but accepts struct_len=3D0 as valid: ceph_decode_need(p, end, 0, bad) always passes. When a malicious or compromised OSD sends an obj_list_watch_response_t reply with struct_len=3D0, ceph_start_decoding() returns success with p =3D=3D end, leaving zero bytes guaranteed for subsequent reads. The immediately following ceph_decode_32(p) in decode_watchers() has no preceding bounds check. With p =3D=3D end this is a 4-byte read past the validated buffer boundary. The garbage value is then passed directly to kzalloc_objs() as the watcher count. The sibling function decode_watcher() already uses the safe variants (ceph_decode_copy_safe, ceph_decode_64_safe, ceph_decode_skip_32) after its own ceph_start_decoding() call. decode_watchers() is the only site that uses the bare variant, confirming an oversight. Fix by replacing ceph_decode_32(p) with ceph_decode_32_safe(p, end, *num_watchers, e_inval), consistent with the established pattern. KASAN report (kernel 7.0.0-rc7, QEMU/x86_64, KASLR disabled): [ 72.047085] ceph_oob_poc: buf=3Dffff8880085936c8 end=3Dffff8880085936ce [ 72.048685] ceph_oob_poc: ceph_start_decoding OK: struct_v=3D1 struct_len=3D0 p=3D=3Dend: 1 [ 72.049477] ceph_oob_poc: triggering OOB read past slab boundary... [ 72.050699] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D [ 72.051427] BUG: KASAN: slab-out-of-bounds in ceph_oob_init+0x128/0xff0 [ceph_oob_poc] [ 72.051427] Read of size 4 at addr ffff8880085936ce by task insmod/61 [ 72.051427] CPU: 0 UID: 0 PID: 61 Comm: insmod Tainted: G O [ 72.051427] 7.0.0-rc7-g9c2abf69da83-dirty #14 PREEMPT(lazy) [ 72.051427] Call Trace: [ 72.051427] dump_stack_lvl+0x4d/0x70 [ 72.051427] print_report+0x170/0x4f3 [ 72.051427] kasan_report+0xda/0x110 [ 72.051427] kasan_check_range+0x125/0x200 [ 72.051427] ceph_oob_init+0x128/0xff0 [ceph_oob_poc] [ 72.051427] do_one_initcall+0x9a/0x310 [ 72.051427] do_init_module+0x186/0x410 [ 72.051427] load_module+0x2ba7/0x2e50 [ 72.051427] init_module_from_file+0x15c/0x180 [ 72.051427] idempotent_init_module+0x19f/0x430 [ 72.051427] __x64_sys_finit_module+0x78/0xc0 [ 72.051427] do_syscall_64+0xe2/0x570 [ 72.051427] entry_SYSCALL_64_after_hwframe+0x77/0x7f [ 72.051427] The buggy address belongs to the object at ffff8880085936c8 [ 72.051427] which belongs to the cache kmalloc-8 of size 8 [ 72.051427] The buggy address is located 0 bytes to the right of [ 72.051427] allocated 6-byte region [ffff8880085936c8, ffff8880085936= ce) [ 72.051427] Memory state around the buggy address: [ 72.051427] >ffff888008593680: fc fc fc fc fc fc fc fc fc 06 fc fc fc = fc fc fc [ 72.051427] ^ [ 72.051427] =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D [ 72.129720] ceph_oob_poc: num_watchers=3D3435973836 (OOB garbage) 0xCCCCCCCC (3435973836) is KASAN redzone poison, confirming the read landed in the slab redzone immediately past the 6-byte allocation. Attacker model: a malicious or compromised OSD in a multi-tenant Ceph deployment (e.g. cloud) can trigger this against any kernel client that calls CEPH_OSD_OP_LIST_WATCHERS, without any further privileges beyond OSD session establishment. Fixes: a4ed38d7a180 ("libceph: support for CEPH_OSD_OP_LIST_WATCHERS") Cc: stable@vger.kernel.org Signed-off-by: Pavitra Jha --- v2: Correct commit message. v1 overstated the impact: - "unbounded alloc": retracted. kzalloc_objs() uses size_mul() internally which returns SIZE_MAX on overflow, causing kmalloc to return NULL. The large garbage value from the OOB read will simply fail allocation with -ENOMEM. - "decode_watcher() writing attacker-controlled data into it": retracted. ceph_start_decoding() calls ceph_decode_need() for its 6-byte header, which catches p=3D=3Dend and returns -ERANGE before any copy occurs. Verified with a follow-up KASAN harness. The fix itself is unchanged. --- net/ceph/osd_client.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/ceph/osd_client.c b/net/ceph/osd_client.c index 2ff00070c..0148e4c40 100644 --- a/net/ceph/osd_client.c +++ b/net/ceph/osd_client.c @@ -5030,7 +5030,7 @@ static int decode_watchers(void **p, void *end, if (ret) return ret; =20 - *num_watchers =3D ceph_decode_32(p); + ceph_decode_32_safe(p, end, *num_watchers, e_inval); *watchers =3D kzalloc_objs(**watchers, *num_watchers, GFP_NOIO); if (!*watchers) return -ENOMEM; @@ -5044,6 +5044,9 @@ static int decode_watchers(void **p, void *end, } =20 return 0; + +e_inval: + return -EINVAL; } =20 /* --=20 2.53.0