Re: [PATCH] ceph: fix OOB read in decode_lockers() via missing bounds check

[Viacheslav Dubeyko]

On Fri, 2026-05-22 at 21:46 -0400, Pavitra Jha wrote:
> ceph_start_decoding() accepts struct_len=0 as valid:
> ceph_decode_need(p, end, 0, bad) always passes. When a malicious or
> compromised OSD sends a cls_lock_get_info_reply with struct_len=0,
> ceph_start_decoding() returns success with p == end, leaving zero
> bytes guaranteed for subsequent reads.
> 
> The immediately following bare ceph_decode_32(p) in decode_lockers()
> has no preceding bounds check. With p == end this is a 4-byte read
> past the validated buffer boundary. The garbage value is then passed
> to kzalloc_objs() as the locker count.
> 
> The sibling function decode_watchers() in osd_client.c already uses
> the safe variant ceph_decode_32_safe() after its own
> ceph_start_decoding() call. decode_lockers() is the only site using
> the bare variant, confirming an oversight.
> 
> Fix by replacing ceph_decode_32(p) with ceph_decode_32_safe(p, end,
> *num_lockers, err_inval), adding a new err_inval label that returns
> -EINVAL directly without attempting to free an uninitialized lockers
> pointer.
> 
> KASAN report (kernel 7.0.0-rc7, QEMU/x86_64, KASLR disabled):
>   ==================================================================
>   BUG: KASAN: slab-out-of-bounds in ceph_oob3_init+0x251/0xff0 [ceph_oob3_poc]
>   Read of size 4 at addr ffff88800a29b76e by task insmod/58
> 
>   CPU: 0 UID: 0 PID: 58 Comm: insmod Tainted: G           O        7.0.0-rc7-g9c2abf69da83-dirty #15 PREEMPT(lazy)
>   Tainted: [O]=OOT_MODULE
>   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.17.0-debian-1.17.0-1 04/01/2014
>   Call Trace:
>    <TASK>
>    dump_stack_lvl+0x4d/0x70
>    print_report+0x170/0x4f3
>    kasan_report+0xda/0x110
>    ceph_oob3_init+0x251/0xff0 [ceph_oob3_poc]
>    do_one_initcall+0x9a/0x3a0
>    do_init_module+0x27c/0x790
>    load_module+0x4a9a/0x6350
>    init_module_from_file+0x15c/0x180
>    idempotent_init_module+0x21f/0x750
>    __x64_sys_finit_module+0xba/0x120
>    do_syscall_64+0xe2/0x570
>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
>   Allocated by task 58:
>    kasan_save_stack+0x30/0x50
>    kasan_save_track+0x14/0x30
>    __kasan_kmalloc+0x7f/0x90
>    ceph_oob3_init+0x4d/0xff0 [ceph_oob3_poc]
>    do_one_initcall+0x9a/0x3a0
>    do_init_module+0x27c/0x790
>    load_module+0x4a9a/0x6350
>    init_module_from_file+0x15c/0x180
>    idempotent_init_module+0x21f/0x750
>    __x64_sys_finit_module+0xba/0x120
>    do_syscall_64+0xe2/0x570
>    entry_SYSCALL_64_after_hwframe+0x77/0x7f
> 
>   The buggy address belongs to the object at ffff88800a29a000
>    which belongs to the cache kmalloc-8k of size 8192
>   The buggy address is located 5998 bytes inside of
>    allocated 6000-byte region [ffff88800a29a000, ffff88800a29b770)
> 
>   Memory state around the buggy address:
>    ffff88800a29b600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>    ffff88800a29b680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   >ffff88800a29b700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
>                                                                ^
>    ffff88800a29b780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>   ==================================================================
> 
>   num_lockers=0xccccaaaa (OOB garbage from KASAN redzone)
> 
> Attacker model: a malicious or compromised OSD in a multi-tenant Ceph
> deployment can trigger this against any kernel client that issues the
> lock.get_info class method (e.g. during RBD exclusive lock acquisition)
> without any further privileges beyond OSD session establishment.
> 
> Fixes: d4ed4a530562 ("libceph: support for lock.lock_info")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Pavitra Jha <jhapavitra98@xxxxxxxxx>
> ---
>  net/ceph/cls_lock_client.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/ceph/cls_lock_client.c b/net/ceph/cls_lock_client.c
> index c6956f1df..78276273c 100644
> --- a/net/ceph/cls_lock_client.c
> +++ b/net/ceph/cls_lock_client.c
> @@ -299,7 +299,7 @@ static int decode_lockers(void **p, void *end, u8 *type, char **tag,

As far as I can see, decode_locker() has the same issue. Have you sent the patch
for this?

>  	if (ret)
>  		return ret;
>  
> -	*num_lockers = ceph_decode_32(p);
> +	ceph_decode_32_safe(p, end, *num_lockers, err_inval);
>  	*lockers = kzalloc_objs(**lockers, *num_lockers, GFP_NOIO);
>  	if (!*lockers)
>  		return -ENOMEM;
> @@ -320,6 +320,8 @@ static int decode_lockers(void **p, void *end, u8 *type, char **tag,
>  	*tag = s;
>  	return 0;
>  
> +err_inval:
> +	return -EINVAL;
>  err_free_lockers:
>  	ceph_free_lockers(*lockers, *num_lockers);
>  	return ret;

I am still not completely sure about -EINVAL here too. Maybe, -ENOMEM could be
more correct.

What about this [1]?

*type = ceph_decode_8(p);

Should we rework it too?

Thanks,
Slava.

[1]
https://elixir.bootlin.com/linux/v7.1-rc4/source/net/ceph/cls_lock_client.c#L313