1. Patchew
  2. linux
  3. View series

[PATCH] libceph: fix potential out-of-bounds read in decode_new_up_state_weight()

Zhenhao Wan posted 1 patch 1 day, 12 hours ago 
net/ceph/osdmap.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
[PATCH] libceph: fix potential out-of-bounds read in decode_new_up_state_weight()
Posted by Zhenhao Wan 1 day, 12 hours ago 
The new_state section of an incremental OSD map is validated and skipped
using a byte count computed as

	len *= sizeof(u32) + (struct_v >= 5 ? sizeof(u32) : sizeof(u8));

The multiplication is evaluated in size_t, but the result is stored back
into the u32 "len", truncating it.  A malicious or corrupted incremental
map can supply a new_state element count >= 0x20000000 (struct_v >= 5) so
that len * 8 wraps modulo 2^32 to a small value.  The following
ceph_decode_need() then validates far fewer bytes than the section
actually occupies.

new_state is then reprocessed with the unchecked ceph_decode_32() and
ceph_decode_8() helpers, which have no per-iteration bounds check and
rely entirely on that truncated up-front validation.  This can lead to
a kernel out-of-bounds read past "end".

Compute the byte count in u64 and bounds-check it against the remaining
buffer before skipping, mirroring the size_t-typed length checks used
elsewhere in this file (e.g. decode_crush_names(), decode_pg_mapping()).
The osd index used for the osd_state[] write is already bounds-checked
against map->max_osd, so this is an out-of-bounds read, not a write.

Fixes: 930c53286977 ("libceph: apply new_state before new_up_client on incrementals")
Reported-by: Yuhao Jiang <danisjiang@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Zhenhao Wan <whi4ed0g@gmail.com>
---
 net/ceph/osdmap.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
index 8b5b0587a0cf..dd3023fe821e 100644
--- a/net/ceph/osdmap.c
+++ b/net/ceph/osdmap.c
@@ -1842,6 +1842,7 @@ static int decode_new_up_state_weight(void **p, void *end, u8 struct_v,
 	void *new_up_client;
 	void *new_state;
 	void *new_weight_end;
+	u64 skip_len;
 	u32 len;
 	int ret;
 	int i;
@@ -1862,9 +1863,10 @@ static int decode_new_up_state_weight(void **p, void *end, u8 struct_v,
 
 	new_state = *p;
 	ceph_decode_32_safe(p, end, len, e_inval);
-	len *= sizeof(u32) + (struct_v >= 5 ? sizeof(u32) : sizeof(u8));
-	ceph_decode_need(p, end, len, e_inval);
-	*p += len;
+	skip_len = (u64)len * (sizeof(u32) + (struct_v >= 5 ? sizeof(u32) : sizeof(u8)));
+	if (skip_len > end - *p)
+		goto e_inval;
+	*p += skip_len;
 
 	/* new_weight */
 	ceph_decode_32_safe(p, end, len, e_inval);

---
base-commit: dbe8d05c9750b107b10c15361aad40fbb350bedb
change-id: 20260606-ceph-fix-final-16f4e1df5a5e

Best regards,
--  
Zhenhao Wan <whi4ed0g@gmail.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.