git-server-git.apps.pok.os.sepia.ceph.com Git

author	Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
	Wed, 22 Apr 2026 08:47:13 +0000 (10:47 +0200)
committer	Ilya Dryomov <idryomov@gmail.com>
	Wed, 29 Apr 2026 00:13:03 +0000 (02:13 +0200)
commit	c9800a0650431b92803a537b0737a67df6d23d4b
tree	c9374397af07078b4dbe9bc639acef9c9066677d	tree \| snapshot
parent	254f49634ee16a731174d2ae34bc50bd5f45e731	commit \| diff

libceph: Fix potential out-of-bounds access in crush_decode()

A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.

This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().

Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

net/ceph/crush/crush.c		diff \| blob \| history
net/ceph/osdmap.c		diff \| blob \| history