From: Pavitra Jha <jhapavitra98@gmail.com>
To: idryomov@gmail.com
Cc: amarkuze@redhat.com, slava@dubeyko.com,
ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org, Pavitra Jha <jhapavitra98@gmail.com>
Subject: [PATCH] ceph: fix OOB read in decode_lockers() via missing bounds check
Date: Fri, 22 May 2026 21:46:07 -0400 [thread overview]
Message-ID: <20260523014607.426417-1-jhapavitra98@gmail.com> (raw)
ceph_start_decoding() accepts struct_len=0 as valid:
ceph_decode_need(p, end, 0, bad) always passes. When a malicious or
compromised OSD sends a cls_lock_get_info_reply with struct_len=0,
ceph_start_decoding() returns success with p == end, leaving zero
bytes guaranteed for subsequent reads.
The immediately following bare ceph_decode_32(p) in decode_lockers()
has no preceding bounds check. With p == end this is a 4-byte read
past the validated buffer boundary. The garbage value is then passed
to kzalloc_objs() as the locker count.
The sibling function decode_watchers() in osd_client.c already uses
the safe variant ceph_decode_32_safe() after its own
ceph_start_decoding() call. decode_lockers() is the only site using
the bare variant, confirming an oversight.
Fix by replacing ceph_decode_32(p) with ceph_decode_32_safe(p, end,
*num_lockers, err_inval), adding a new err_inval label that returns
-EINVAL directly without attempting to free an uninitialized lockers
pointer.
KASAN report (kernel 7.0.0-rc7, QEMU/x86_64, KASLR disabled):
==================================================================
BUG: KASAN: slab-out-of-bounds in ceph_oob3_init+0x251/0xff0 [ceph_oob3_poc]
Read of size 4 at addr ffff88800a29b76e by task insmod/58
CPU: 0 UID: 0 PID: 58 Comm: insmod Tainted: G O 7.0.0-rc7-g9c2abf69da83-dirty #15 PREEMPT(lazy)
Tainted: [O]=OOT_MODULE
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x4d/0x70
print_report+0x170/0x4f3
kasan_report+0xda/0x110
ceph_oob3_init+0x251/0xff0 [ceph_oob3_poc]
do_one_initcall+0x9a/0x3a0
do_init_module+0x27c/0x790
load_module+0x4a9a/0x6350
init_module_from_file+0x15c/0x180
idempotent_init_module+0x21f/0x750
__x64_sys_finit_module+0xba/0x120
do_syscall_64+0xe2/0x570
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Allocated by task 58:
kasan_save_stack+0x30/0x50
kasan_save_track+0x14/0x30
__kasan_kmalloc+0x7f/0x90
ceph_oob3_init+0x4d/0xff0 [ceph_oob3_poc]
do_one_initcall+0x9a/0x3a0
do_init_module+0x27c/0x790
load_module+0x4a9a/0x6350
init_module_from_file+0x15c/0x180
idempotent_init_module+0x21f/0x750
__x64_sys_finit_module+0xba/0x120
do_syscall_64+0xe2/0x570
entry_SYSCALL_64_after_hwframe+0x77/0x7f
The buggy address belongs to the object at ffff88800a29a000
which belongs to the cache kmalloc-8k of size 8192
The buggy address is located 5998 bytes inside of
allocated 6000-byte region [ffff88800a29a000, ffff88800a29b770)
Memory state around the buggy address:
ffff88800a29b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88800a29b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88800a29b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
^
ffff88800a29b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
num_lockers=0xccccaaaa (OOB garbage from KASAN redzone)
Attacker model: a malicious or compromised OSD in a multi-tenant Ceph
deployment can trigger this against any kernel client that issues the
lock.get_info class method (e.g. during RBD exclusive lock acquisition)
without any further privileges beyond OSD session establishment.
Fixes: d4ed4a530562 ("libceph: support for lock.lock_info")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
---
net/ceph/cls_lock_client.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/ceph/cls_lock_client.c b/net/ceph/cls_lock_client.c
index c6956f1df..78276273c 100644
--- a/net/ceph/cls_lock_client.c
+++ b/net/ceph/cls_lock_client.c
@@ -299,7 +299,7 @@ static int decode_lockers(void **p, void *end, u8 *type, char **tag,
if (ret)
return ret;
- *num_lockers = ceph_decode_32(p);
+ ceph_decode_32_safe(p, end, *num_lockers, err_inval);
*lockers = kzalloc_objs(**lockers, *num_lockers, GFP_NOIO);
if (!*lockers)
return -ENOMEM;
@@ -320,6 +320,8 @@ static int decode_lockers(void **p, void *end, u8 *type, char **tag,
*tag = s;
return 0;
+err_inval:
+ return -EINVAL;
err_free_lockers:
ceph_free_lockers(*lockers, *num_lockers);
return ret;
--
2.53.0
next reply other threads:[~2026-05-23 1:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-23 1:46 Pavitra Jha [this message]
2026-05-26 19:04 ` Viacheslav Dubeyko
2026-05-28 13:25 ` [PATCH v2] ceph: fix bare ceph_decode_8 OOB in decode_lockers() Pavitra Jha
2026-05-28 18:06 ` Viacheslav Dubeyko
2026-05-30 17:46 ` Dan Carpenter
2026-06-02 4:17 ` [PATCH v3] ceph: fix two unsafe bare decodes " Pavitra Jha
2026-06-02 16:46 ` Viacheslav Dubeyko
2026-05-28 14:36 ` [PATCH] ceph: fix OOB read in decode_lockers() via missing bounds check Pavitra Jha
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260523014607.426417-1-jhapavitra98@gmail.com \
--to=jhapavitra98@gmail.com \
--cc=amarkuze@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=slava@dubeyko.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome