[PATCH OLK-5.10] ceph: prevent use-after-free in encode_cap_msg() - Kernel

11 Apr 2024

From: Rishabh Dave ridave@redhat.com
stable inclusion
from stable-v5.10.167
commit 8180d0c27b93a6eb60da1b08ea079e3926328214
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9E2GN
CVE: CVE-2024-26689
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=l...
--------------------------------
commit cda4672da1c26835dcbd7aec2bfed954eda9b5ef upstream.
In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
implies before the refcount could be increment here, it was freed.
In same file, in "handle_cap_grant()" refcount is decremented by this
line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
occurred and resource was freed by the latter line before the former
line could increment it.
encode_cap_msg() is called by __send_cap() and __send_cap() is called by
ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
the refcount must be increased to prevent "use after free" error.
Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/59259
Signed-off-by: Rishabh Dave ridave@redhat.com
Reviewed-by: Jeff Layton jlayton@kernel.org
Reviewed-by: Xiubo Li xiubli@redhat.com
Signed-off-by: Ilya Dryomov idryomov@gmail.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Long Li leo.lilong@huawei.com
---
 fs/ceph/caps.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index b0cf79b0dc49..8e43d07ffa8b 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1402,7 +1402,7 @@ static void __prep_cap(struct cap_msg_args *arg, struct ceph_cap *cap,
    if (flushing & CEPH_CAP_XATTR_EXCL) {
    	arg->old_xattr_buf = __ceph_build_xattrs_blob(ci);
    	arg->xattr_version = ci->i_xattrs.version;
-		arg->xattr_buf = ci->i_xattrs.blob;
+		arg->xattr_buf = ceph_buffer_get(ci->i_xattrs.blob);
    } else {
    	arg->xattr_buf = NULL;
    	arg->old_xattr_buf = NULL;
@@ -1468,6 +1468,7 @@ static void __send_cap(struct cap_msg_args *arg, struct ceph_inode_info *ci)
    encode_cap_msg(msg, arg);
    ceph_con_send(&arg->session->s_con, msg);
    ceph_buffer_put(arg->old_xattr_buf);
+	ceph_buffer_put(arg->xattr_buf);
    if (arg->wake)
    	wake_up_all(&ci->i_cap_wq);
 }
-- 
2.31.1


    