diff options
| author | Raphael Zimmer <raphael.zimmer@tu-ilmenau.de> | 2026-04-22 11:47:13 +0300 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2026-05-11 11:39:21 +0300 |
| commit | 4c79fc2d598694bda845b46229c9d48b65042970 (patch) | |
| tree | 98335921fa67cebca5b50f437d06e9f74cfb31c8 /drivers/gpu/tests/git@radix-linux.su:pub | |
| parent | 5d6919055dec134de3c40167a490f33c74c12581 (diff) | |
| download | linux-4c79fc2d598694bda845b46229c9d48b65042970.tar.xz | |
libceph: Fix potential out-of-bounds access in crush_decode()
A message of type CEPH_MSG_OSD_MAP containing a crush map with at least
one bucket has two fields holding the bucket algorithm. If the values
in these two fields differ, an out-of-bounds access can occur. This is
the case because the first algorithm field (alg) is used to allocate
the correct amount of memory for a bucket of this type, while the second
algorithm field inside the bucket (b->alg) is used in the subsequent
processing.
This patch fixes the issue by adding a check that compares alg and
b->alg and aborts the processing in case they differ. Furthermore,
b->alg is set to 0 in this case, because the destruction of the crush
map also uses this field to determine the bucket type, which can again
result in an out-of-bounds access when trying to free the memory pointed
to by the fields of the bucket. To correctly free the memory allocated
for the bucket in such a case, the corresponding call to kfree is moved
from the algorithm-specific crush_destroy_bucket functions to the
generic crush_destroy_bucket().
Cc: stable@vger.kernel.org
Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'drivers/gpu/tests/git@radix-linux.su:pub')
0 files changed, 0 insertions, 0 deletions