Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]libceph: fix potential use-after-free in have_mon_and_osd_map()[EOL][EOL]The wait loop in __ceph_open_session() can race with the client[EOL]receiving a new monmap or osdmap shortly after the initial map is[EOL]received.  Both ceph_monc_handle_map() and handle_one_map() install[EOL]a new map immediately after freeing the old one[EOL][EOL]    kfree(monc->monmap);[EOL]    monc->monmap = monmap;[EOL][EOL]    ceph_osdmap_destroy(osdc->osdmap);[EOL]    osdc->osdmap = newmap;[EOL][EOL]under client->monc.mutex and client->osdc.lock respectively, but[EOL]because neither is taken in have_mon_and_osd_map() it's possible for[EOL]client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in[EOL][EOL]    client->monc.monmap && client->monc.monmap->epoch &&[EOL]        client->osdc.osdmap && client->osdc.osdmap->epoch;[EOL][EOL]condition to dereference an already freed map.  This happens to be[EOL]reproducible with generic/395 and generic/397 with KASAN enabled:[EOL][EOL]    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70[EOL]    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305[EOL]    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266[EOL]    ...[EOL]    Call Trace:[EOL]    <TASK>[EOL]    have_mon_and_osd_map+0x56/0x70[EOL]    ceph_open_session+0x182/0x290[EOL]    ceph_get_tree+0x333/0x680[EOL]    vfs_get_tree+0x49/0x180[EOL]    do_new_mount+0x1a3/0x2d0[EOL]    path_mount+0x6dd/0x730[EOL]    do_mount+0x99/0xe0[EOL]    __do_sys_mount+0x141/0x180[EOL]    do_syscall_64+0x9f/0x100[EOL]    entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL]    </TASK>[EOL][EOL]    Allocated by task 13305:[EOL]    ceph_osdmap_alloc+0x16/0x130[EOL]    ceph_osdc_init+0x27a/0x4c0[EOL]    ceph_create_client+0x153/0x190[EOL]    create_fs_client+0x50/0x2a0[EOL]    ceph_get_tree+0xff/0x680[EOL]    vfs_get_tree+0x49/0x180[EOL]    do_new_mount+0x1a3/0x2d0[EOL]    path_mount+0x6dd/0x730[EOL]    do_mount+0x99/0xe0[EOL]    __do_sys_mount+0x141/0x180[EOL]    do_syscall_64+0x9f/0x100[EOL]    entry_SYSCALL_64_after_hwframe+0x76/0x7e[EOL][EOL]    Freed by task 9475:[EOL]    kfree+0x212/0x290[EOL]    handle_one_map+0x23c/0x3b0[EOL]    ceph_osdc_handle_map+0x3c9/0x590[EOL]    mon_dispatch+0x655/0x6f0[EOL]    ceph_con_process_message+0xc3/0xe0[EOL]    ceph_con_v1_try_read+0x614/0x760[EOL]    ceph_con_workfn+0x2de/0x650[EOL]    process_one_work+0x486/0x7c0[EOL]    process_scheduled_works+0x73/0x90[EOL]    worker_thread+0x1c8/0x2a0[EOL]    kthread+0x2ec/0x300[EOL]    ret_from_fork+0x24/0x40[EOL]    ret_from_fork_asm+0x1a/0x30[EOL][EOL]Rewrite the wait loop to check the above condition directly with[EOL]client->monc.mutex and client->osdc.lock taken as appropriate.  While[EOL]at it, improve the timeout handling (previously mount_timeout could be[EOL]exceeded in case wait_event_interruptible_timeout() slept more than[EOL]once) and access client->auth_err under client->monc.mutex to match[EOL]how it's set in finish_auth().[EOL][EOL]monmap_show() and osdmap_show() now take the respective lock before[EOL]accessing the map as well.