Commit 4c79fc2d authored by Raphael Zimmer's avatar Raphael Zimmer Committed by Ilya Dryomov
Browse files

libceph: Fix potential out-of-bounds access in crush_decode() 



A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.

This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().

Cc: stable@vger.kernel.org
Signed-off-by: default avatarRaphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: default avatarIlya Dryomov <idryomov@gmail.com>
Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
parent 5d691905

net/ceph/crush/crush.c

+1 −5
Original line number Diff line number Diff line
@@ -47,7 +47,6 @@ int crush_get_bucket_item_weight(const struct crush_bucket *b, int p) 
void crush_destroy_bucket_uniform(struct crush_bucket_uniform *b)

{

	kfree(b->h.items);

	kfree(b);

}



void crush_destroy_bucket_list(struct crush_bucket_list *b)
@@ -55,14 +54,12 @@ void crush_destroy_bucket_list(struct crush_bucket_list *b) 
	kfree(b->item_weights);

	kfree(b->sum_weights);

	kfree(b->h.items);

	kfree(b);

}



void crush_destroy_bucket_tree(struct crush_bucket_tree *b)

{

	kfree(b->h.items);

	kfree(b->node_weights);

	kfree(b);

}



void crush_destroy_bucket_straw(struct crush_bucket_straw *b)
@@ -70,14 +67,12 @@ void crush_destroy_bucket_straw(struct crush_bucket_straw *b) 
	kfree(b->straws);

	kfree(b->item_weights);

	kfree(b->h.items);

	kfree(b);

}



void crush_destroy_bucket_straw2(struct crush_bucket_straw2 *b)

{

	kfree(b->item_weights);

	kfree(b->h.items);

	kfree(b);

}



void crush_destroy_bucket(struct crush_bucket *b)
@@ -99,6 +94,7 @@ void crush_destroy_bucket(struct crush_bucket *b) 
		crush_destroy_bucket_straw2((struct crush_bucket_straw2 *)b);

		break;

	}

	kfree(b);

}



/**

net/ceph/osdmap.c

+4 −0
Original line number Diff line number Diff line
@@ -516,6 +516,10 @@ static struct crush_map *crush_decode(void *pbyval, void *end) 
		b->id = ceph_decode_32(p);

		b->type = ceph_decode_16(p);

		b->alg = ceph_decode_8(p);

		if (b->alg != alg) {

			b->alg = 0;

			goto bad;

		}

		b->hash = ceph_decode_8(p);

		b->weight = ceph_decode_32(p);

		b->size = ceph_decode_32(p);