git-server-git.apps.pok.os.sepia.ceph.com Git

author	Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
	Wed, 22 Apr 2026 08:47:13 +0000 (10:47 +0200)
committer	Ilya Dryomov <idryomov@gmail.com>
	Mon, 11 May 2026 08:39:21 +0000 (10:39 +0200)
commit	4c79fc2d598694bda845b46229c9d48b65042970
tree	98335921fa67cebca5b50f437d06e9f74cfb31c8	tree \| snapshot
parent	5d6919055dec134de3c40167a490f33c74c12581	commit \| diff

libceph: Fix potential out-of-bounds access in crush_decode()

A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.

This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().

Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

net/ceph/crush/crush.c		diff \| blob \| history
net/ceph/osdmap.c		diff \| blob \| history