Description
In the Linux kernel, the following vulnerability has been resolved: libceph: fix potential use-after-free in have_mon_and_osd_map() The wait loop in __ceph_open_session() can race with the client receiving a new monmap or osdmap shortly after the initial map is received. Both ceph_monc_handle_map() and handle_one_map() install a new map immediately after freeing the old one kfree(monc->monmap); monc->monmap = monmap; ceph_osdmap_destroy(osdc->osdmap); osdc->osdmap = newmap; under client->monc.mutex and client->osdc.lock respectively, but because neither is taken in have_mon_and_osd_map() it's possible for client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in client->monc.monmap && client->monc.monmap->epoch && client->osdc.osdmap && client->osdc.osdmap->epoch; condition to dereference an already freed map. This happens to be reproducible with generic/395 and generic/397 with KASAN enabled: BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70 Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305 CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266 ... Call Trace: <TASK> have_mon_and_osd_map+0x56/0x70 ceph_open_session+0x182/0x290 ceph_get_tree+0x333/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e </TASK> Allocated by task 13305: ceph_osdmap_alloc+0x16/0x130 ceph_osdc_init+0x27a/0x4c0 ceph_create_client+0x153/0x190 create_fs_client+0x50/0x2a0 ceph_get_tree+0xff/0x680 vfs_get_tree+0x49/0x180 do_new_mount+0x1a3/0x2d0 path_mount+0x6dd/0x730 do_mount+0x99/0xe0 __do_sys_mount+0x141/0x180 do_syscall_64+0x9f/0x100 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 9475: kfree+0x212/0x290 handle_one_map+0x23c/0x3b0 ceph_osdc_handle_map+0x3c9/0x590 mon_dispatch+0x655/0x6f0 ceph_con_process_message+0xc3/0xe0 ceph_con_v1_try_read+0x614/0x760 ceph_con_workfn+0x2de/0x650 process_one_work+0x486/0x7c0 process_scheduled_works+0x73/0x90 worker_thread+0x1c8/0x2a0 kthread+0x2ec/0x300 ret_from_fork+0x24/0x40 ret_from_fork_asm+0x1a/0x30 Rewrite the wait loop to check the above condition directly with client->monc.mutex and client->osdc.lock taken as appropriate. While at it, improve the timeout handling (previously mount_timeout could be exceeded in case wait_event_interruptible_timeout() slept more than once) and access client->auth_err under client->monc.mutex to match how it's set in finish_auth(). monmap_show() and osdmap_show() now take the respective lock before accessing the map as well.
Product status
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before bb4910c5fd436701faf367e1b5476a5a6d2aff1c
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 05ec43e9a9de67132dc8cd3b22afef001574947f
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 7c8ccdc1714d9fabecd26e1be7db1771061acc6e
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 183ad6e3b651e8fb0b66d6a2678f4b80bfbba092
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before e08021b3b56b2407f37b5fe47b654be80cc665fb
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 3fc43120b22a3d4f1fbeff56a35ce2105b6a5683
1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 (git) before 076381c261374c587700b3accf410bdd2dba334e
5.10.247 (semver)
5.15.197 (semver)
6.1.159 (semver)
6.6.119 (semver)
6.12.61 (semver)
6.17.11 (semver)
6.18 (original_commit_for_fix)
References
git.kernel.org/...c/bb4910c5fd436701faf367e1b5476a5a6d2aff1c
git.kernel.org/...c/05ec43e9a9de67132dc8cd3b22afef001574947f
git.kernel.org/...c/7c8ccdc1714d9fabecd26e1be7db1771061acc6e
git.kernel.org/...c/183ad6e3b651e8fb0b66d6a2678f4b80bfbba092
git.kernel.org/...c/e08021b3b56b2407f37b5fe47b654be80cc665fb
git.kernel.org/...c/3fc43120b22a3d4f1fbeff56a35ce2105b6a5683
git.kernel.org/...c/076381c261374c587700b3accf410bdd2dba334e
Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.
