mirror of https://lore.kernel.org/lkml/
 help / color / mirror / Atom feed
* [PATCH] ceph: fix OOB read in decode_lockers() via missing bounds check
@ 2026-05-23  1:46 Pavitra Jha
  2026-05-26 19:04 ` Viacheslav Dubeyko
  0 siblings, 1 reply; 9+ messages in thread
From: Pavitra Jha @ 2026-05-23  1:46 UTC (permalink / raw)
  To: idryomov; +Cc: amarkuze, slava, ceph-devel, linux-kernel, stable, Pavitra Jha

ceph_start_decoding() accepts struct_len=0 as valid:
ceph_decode_need(p, end, 0, bad) always passes. When a malicious or
compromised OSD sends a cls_lock_get_info_reply with struct_len=0,
ceph_start_decoding() returns success with p == end, leaving zero
bytes guaranteed for subsequent reads.

The immediately following bare ceph_decode_32(p) in decode_lockers()
has no preceding bounds check. With p == end this is a 4-byte read
past the validated buffer boundary. The garbage value is then passed
to kzalloc_objs() as the locker count.

The sibling function decode_watchers() in osd_client.c already uses
the safe variant ceph_decode_32_safe() after its own
ceph_start_decoding() call. decode_lockers() is the only site using
the bare variant, confirming an oversight.

Fix by replacing ceph_decode_32(p) with ceph_decode_32_safe(p, end,
*num_lockers, err_inval), adding a new err_inval label that returns
-EINVAL directly without attempting to free an uninitialized lockers
pointer.

KASAN report (kernel 7.0.0-rc7, QEMU/x86_64, KASLR disabled):
  ==================================================================
  BUG: KASAN: slab-out-of-bounds in ceph_oob3_init+0x251/0xff0 [ceph_oob3_poc]
  Read of size 4 at addr ffff88800a29b76e by task insmod/58

  CPU: 0 UID: 0 PID: 58 Comm: insmod Tainted: G           O        7.0.0-rc7-g9c2abf69da83-dirty #15 PREEMPT(lazy)
  Tainted: [O]=OOT_MODULE
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x4d/0x70
   print_report+0x170/0x4f3
   kasan_report+0xda/0x110
   ceph_oob3_init+0x251/0xff0 [ceph_oob3_poc]
   do_one_initcall+0x9a/0x3a0
   do_init_module+0x27c/0x790
   load_module+0x4a9a/0x6350
   init_module_from_file+0x15c/0x180
   idempotent_init_module+0x21f/0x750
   __x64_sys_finit_module+0xba/0x120
   do_syscall_64+0xe2/0x570
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

  Allocated by task 58:
   kasan_save_stack+0x30/0x50
   kasan_save_track+0x14/0x30
   __kasan_kmalloc+0x7f/0x90
   ceph_oob3_init+0x4d/0xff0 [ceph_oob3_poc]
   do_one_initcall+0x9a/0x3a0
   do_init_module+0x27c/0x790
   load_module+0x4a9a/0x6350
   init_module_from_file+0x15c/0x180
   idempotent_init_module+0x21f/0x750
   __x64_sys_finit_module+0xba/0x120
   do_syscall_64+0xe2/0x570
   entry_SYSCALL_64_after_hwframe+0x77/0x7f

  The buggy address belongs to the object at ffff88800a29a000
   which belongs to the cache kmalloc-8k of size 8192
  The buggy address is located 5998 bytes inside of
   allocated 6000-byte region [ffff88800a29a000, ffff88800a29b770)

  Memory state around the buggy address:
   ffff88800a29b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   ffff88800a29b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  >ffff88800a29b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
                                                               ^
   ffff88800a29b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ==================================================================

  num_lockers=0xccccaaaa (OOB garbage from KASAN redzone)

Attacker model: a malicious or compromised OSD in a multi-tenant Ceph
deployment can trigger this against any kernel client that issues the
lock.get_info class method (e.g. during RBD exclusive lock acquisition)
without any further privileges beyond OSD session establishment.

Fixes: d4ed4a530562 ("libceph: support for lock.lock_info")
Cc: stable@vger.kernel.org
Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
---
 net/ceph/cls_lock_client.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/ceph/cls_lock_client.c b/net/ceph/cls_lock_client.c
index c6956f1df..78276273c 100644
--- a/net/ceph/cls_lock_client.c
+++ b/net/ceph/cls_lock_client.c
@@ -299,7 +299,7 @@ static int decode_lockers(void **p, void *end, u8 *type, char **tag,
 	if (ret)
 		return ret;
 
-	*num_lockers = ceph_decode_32(p);
+	ceph_decode_32_safe(p, end, *num_lockers, err_inval);
 	*lockers = kzalloc_objs(**lockers, *num_lockers, GFP_NOIO);
 	if (!*lockers)
 		return -ENOMEM;
@@ -320,6 +320,8 @@ static int decode_lockers(void **p, void *end, u8 *type, char **tag,
 	*tag = s;
 	return 0;
 
+err_inval:
+	return -EINVAL;
 err_free_lockers:
 	ceph_free_lockers(*lockers, *num_lockers);
 	return ret;
-- 
2.53.0


^ permalink raw reply	[flat|nested] 9+ messages in thread
* Re:  [PATCH v2] ceph: fix multiple unsafe decodes in decode_locker()
@ 2026-05-28 18:14 Viacheslav Dubeyko
  2026-05-28 18:17 ` [PATCH v2] ceph: fix bare ceph_decode_8 OOB in decode_lockers() Pavitra Jha
  0 siblings, 1 reply; 9+ messages in thread
From: Viacheslav Dubeyko @ 2026-05-28 18:14 UTC (permalink / raw)
  To: idryomov, jhapavitra98; +Cc: ceph-devel, stable, linux-kernel

On Thu, 2026-05-28 at 09:01 -0400, Pavitra Jha wrote:
> decode_locker() in cls_lock_client.c contains three unsafe decode
> operations that allow a malicious or compromised OSD to trigger
> slab-out-of-bounds reads:
> 
> 1. ceph_decode_copy() at the locker_id_t name field has no preceding
>    bounds check. With p == end after ceph_start_decoding() accepts
>    struct_len=0, this reads sizeof(ceph_entity_name) = 9 bytes past
>    the validated buffer boundary.
> 
> 2. *p += sizeof(struct ceph_timespec) after the locker_info_t header
>    is an unchecked pointer advance. A malicious OSD can position p
>    past end, causing all subsequent _safe checks to pass against a
>    bogus boundary.
> 
> 3. len = ceph_decode_32(p) has no preceding bounds check, and the
>    immediately following *p += len is uncapped. A malicious OSD can
>    send len=0xffffffff, advancing p gigabytes past end and escaping
>    the decode window entirely.
> 
> Fix all three by replacing bare operations with their safe variants:
>   ceph_decode_copy   -> ceph_decode_copy_safe
>   *p += sizeof(...)  -> ceph_decode_skip_n
>   ceph_decode_32(p)  -> ceph_decode_32_safe
>   *p += len          -> ceph_decode_skip_n
> 
> A new out_bad: label is added to return -EINVAL on any bounds
> violation. -EINVAL is appropriate here: the data received from the OSD
> is structurally malformed, which is an invalid argument to the decode
> contract regardless of whether the caller or the wire is at fault.
> 
> KASAN report (kernel 7.0.0-rc7, QEMU/x86_64, KASLR disabled):
> 
>   [   26.183969] ceph_oob4_poc: buf=ffff888009e31000 end=ffff888009e31fa0
>   [   26.186087] ceph_oob4_poc: struct_v=1 struct_len=0 p==end: 1
>   [   26.186738] ceph_oob4_poc: triggering bare ceph_decode_32 past slab boundary...
>   [   26.187679] ==================================================================
>   [   26.188236] BUG: KASAN: slab-out-of-bounds in ceph_oob4_init+0x22b/0xff0 [ceph_oob4_poc]
>   [   26.188236] Read of size 4 at addr ffff888009e31fa0 by task insmod/59
>   [   26.188236] CPU: 0 UID: 0 PID: 59 Comm: insmod Tainted: G           O        7.0.0-rc7-g9c2abf69da83-dirty #15 PREEMPT(lazy)
>   [   26.188236] Call Trace:
>   [   26.188236]  <TASK>
>   [   26.188236]  dump_stack_lvl+0x4d/0x70
>   [   26.188236]  print_report+0x170/0x4f3
>   [   26.188236]  kasan_report+0xda/0x110
>   [   26.188236]  ceph_oob4_init+0x22b/0xff0 [ceph_oob4_poc]
>   [   26.188236]  do_one_initcall+0x9a/0x3a0
>   [   26.188236]  do_init_module+0x27c/0x790
>   [   26.188236]  load_module+0x4a9a/0x6350
>   [   26.188236]  init_module_from_file+0x15c/0x180
>   [   26.188236]  idempotent_init_module+0x21f/0x750
>   [   26.188236]  __x64_sys_finit_module+0xba/0x120
>   [   26.188236]  do_syscall_64+0xe2/0x570
>   [   26.188236]  entry_SYSCALL_64_after_hwframe+0x77/0x7f
>   [   26.188236]  </TASK>
>   [   26.188236] The buggy address belongs to the object at ffff888009e31000
>   [   26.188236]  which belongs to the cache kmalloc-4k of size 4096
>   [   26.188236] The buggy address is located 0 bytes to the right of
>   [   26.188236]  allocated 4000-byte region [ffff888009e31000, ffff888009e31fa0)
>   [   26.188236]  ffff888009e31f80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
>   [   26.188236]                                ^
>   [   26.188236]  ffff888009e32000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>   [   26.188236] ==================================================================
>   [   26.255513] ceph_oob4_poc: len=0xcccccccc (OOB garbage from KASAN redzone)
> 
>   0xCCCCCCCC is KASAN redzone poison, confirming the read landed in
>   the slab redzone immediately past the 4000-byte allocation.
> 
> Attacker model: a malicious or compromised OSD in a multi-tenant Ceph
> deployment can trigger this against any kernel client that issues the
> lock.get_info class method (e.g. during RBD exclusive lock acquisition)
> without any further privileges beyond OSD session establishment.
> 
> Fixes: d4ed4a530562 ("libceph: support for lock.lock_info")
> Cc: stable@vger.kernel.org
> Signed-off-by: Pavitra Jha <jhapavitra98@gmail.com>
> ---
> v2: Move inline comments above ceph_decode_skip_n calls to stay within
>     the 80-column limit, and rename label bad -> out_bad, per
>     Viacheslav Dubeyko's review.
> ---
>  net/ceph/cls_lock_client.c | 12 ++++++++----
>  1 file changed, 8 insertions(+), 4 deletions(-)
> 
> diff --git a/net/ceph/cls_lock_client.c b/net/ceph/cls_lock_client.c
> index 78276273c..4f27b3d15 100644
> --- a/net/ceph/cls_lock_client.c
> +++ b/net/ceph/cls_lock_client.c
> @@ -259,7 +259,7 @@ static int decode_locker(void **p, void *end, struct ceph_locker *locker)
>  	if (ret)
>  		return ret;
>  
> -	ceph_decode_copy(p, &locker->id.name, sizeof(locker->id.name));
> +	ceph_decode_copy_safe(p, end, &locker->id.name, sizeof(locker->id.name), out_bad);

This line contains 85 symbols. What's the point of such long line? Why not
something like this?

	ceph_decode_copy_safe(p, end, &locker->id.name,
			      sizeof(locker->id.name), out_bad);

Have you run scripts/checkpatch.pl for the patch? I am sure that the check
should complain about this.

Thanks,
Slava.

>  	s = ceph_extract_encoded_string(p, end, NULL, GFP_NOIO);
>  	if (IS_ERR(s))
>  		return PTR_ERR(s);
> @@ -270,19 +270,23 @@ static int decode_locker(void **p, void *end, struct ceph_locker *locker)
>  	if (ret)
>  		return ret;
>  
> -	*p += sizeof(struct ceph_timespec); /* skip expiration */
> +	/* skip expiration */
> +	ceph_decode_skip_n(p, end, sizeof(struct ceph_timespec), out_bad);
>  
>  	ret = ceph_decode_entity_addr(p, end, &locker->info.addr);
>  	if (ret)
>  		return ret;
>  
> -	len = ceph_decode_32(p);
> -	*p += len; /* skip description */
> +	ceph_decode_32_safe(p, end, len, out_bad);
> +	/* skip description */
> +	ceph_decode_skip_n(p, end, len, out_bad);
>  
>  	dout("%s %s%llu cookie %s addr %s\n", __func__,
>  	     ENTITY_NAME(locker->id.name), locker->id.cookie,
>  	     ceph_pr_addr(&locker->info.addr));
>  	return 0;
> +out_bad:
> +	return -EINVAL;
>  }
>  
>  static int decode_lockers(void **p, void *end, u8 *type, char **tag,

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2026-06-02 16:46 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2026-05-23  1:46 [PATCH] ceph: fix OOB read in decode_lockers() via missing bounds check Pavitra Jha
2026-05-26 19:04 ` Viacheslav Dubeyko
2026-05-28 13:25   ` [PATCH v2] ceph: fix bare ceph_decode_8 OOB in decode_lockers() Pavitra Jha
2026-05-28 18:06     ` Viacheslav Dubeyko
2026-05-30 17:46     ` Dan Carpenter
2026-06-02  4:17       ` [PATCH v3] ceph: fix two unsafe bare decodes " Pavitra Jha
2026-06-02 16:46         ` Viacheslav Dubeyko
2026-05-28 14:36   ` [PATCH] ceph: fix OOB read in decode_lockers() via missing bounds check Pavitra Jha
2026-05-28 18:14 [PATCH v2] ceph: fix multiple unsafe decodes in decode_locker() Viacheslav Dubeyko
2026-05-28 18:17 ` [PATCH v2] ceph: fix bare ceph_decode_8 OOB in decode_lockers() Pavitra Jha

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Powered by JetHome