[SRU][N][PATCH 0/1] Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux (LP: #2115447)

Massimiliano Pellizzer massimiliano.pellizzer at canonical.com
Fri Jul 18 08:47:41 UTC 2025 

BugLink: https://bugs.launchpad.net/bugs/2115447

[ Impact ]

fs/ceph,selinux: fix NULL pointer dereference on CephFS write with SELinux in
permissive mode

A NULL pointer dereference occurs in the Ceph kernel client (CephFS)
when a file is created on a mounted CephFS volume while SELinux is
enabled in permissive mode.

[   86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d
[   86.679238] #PF: supervisor read access in kernel mode
[   86.679859] #PF: error_code(0x0000) - not-present page
[   86.680445] PGD 0 P4D 0
[   86.681021] Oops: 0000 [#1] PREEMPT SMP PTI
[   86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic
#65-Ubuntu
[   86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop
Reference Platform, BIOS 6.00 11/12/2020
[   86.682716] RIP: 0010:memcpy_orig+0x54/0x130
[   86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4
83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 f8
4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
[   86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283
[   86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 0000000000000000
[   86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: ffff9aeb6123a02d
[   86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 0000000000000000
[   86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000025
[   86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: ffffa79300b2f8e4
[   86.687888] FS:  0000724d07b47740(0000) GS:ffff9aec77c00000(0000)
knlGS:0000000000000000
[   86.688416] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 00000000001706f0
[   86.689541] Call Trace:
[   86.690124]  <TASK>
[   86.690704]  ? show_regs+0x6d/0x80
[   86.691256]  ? __die+0x24/0x80
[   86.691807]  ? page_fault_oops+0x99/0x1b0
[   86.692426]  ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
[   86.692991]  ? __bad_area_nosemaphore+0x19e/0x2c0
[   86.693563]  ? find_vma+0x34/0x60
[   86.694214]  ? bad_area_nosemaphore+0x16/0x30
[   86.694835]  ? do_user_addr_fault+0x29d/0x670
[   86.695439]  ? exc_page_fault+0x83/0x1b0
[   86.696024]  ? asm_exc_page_fault+0x27/0x30
[   86.696614]  ? memcpy_orig+0x54/0x130
[   86.697202]  ? ceph_pagelist_append+0x124/0x150 [libceph]
[   86.697995]  ceph_security_init_secctx+0xce/0x1f0 [ceph]
[   86.698733]  ceph_new_inode+0x80/0xe0 [ceph]
[   86.699484]  ceph_atomic_open+0x3b2/0x9d0 [ceph]
[   86.700239]  ? may_create+0x141/0x150
[   86.700903]  lookup_open.isra.0+0x3a9/0x570
[   86.701534]  open_last_lookups+0x14f/0x400
[   86.702196]  path_openat+0x99/0x2d0
[   86.702815]  do_filp_open+0xaf/0x170
[   86.703475]  do_sys_openat2+0xb3/0xe0
[   86.704098]  __x64_sys_openat+0x55/0xa0
[   86.704804]  x64_sys_call+0x1eb1/0x25a0
[   86.705437]  do_syscall_64+0x7f/0x180
[   86.706120]  ? filemap_map_pages+0x2fe/0x4c0
[   86.706792]  ? __lruvec_stat_mod_folio+0x70/0xc0
[   86.707444]  ? do_read_fault+0x112/0x200
[   86.708157]  ? do_fault+0xf0/0x260
[   86.708850]  ? handle_pte_fault+0x114/0x1d0
[   86.709519]  ? __handle_mm_fault+0x654/0x800
[   86.710216]  ? __count_memcg_events+0x6b/0x120
[   86.710884]  ? count_memcg_events.constprop.0+0x2a/0x50
[   86.711505]  ? handle_mm_fault+0xad/0x380
[   86.712136]  ? do_user_addr_fault+0x334/0x670
[   86.712778]  ? irqentry_exit_to_user_mode+0x7b/0x260
[   86.713433]  ? irqentry_exit+0x43/0x50
[   86.714111]  ? clear_bhb_loop+0x15/0x70
[   86.714777]  ? clear_bhb_loop+0x15/0x70
[   86.715330]  ? clear_bhb_loop+0x15/0x70
[   86.715844]  entry_SYSCALL_64_after_hwframe+0x78/0x80
[   86.716378] RIP: 0033:0x724d0791b175
[   86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de fe
0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0
ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28
[   86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX:
0000000000000101
[   86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 0000724d0791b175
[   86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 00000000ffffff9c
[   86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 0000000000000000
[   86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 00007ffd9c153635
[   86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 0000000000000001
[   86.721596]  </TASK>

[ Fix ]

The issue must be solved modifying kernel code as follows:
- In the SELinux hook selinux_dentry_init_security(), remove a faulty cast when
  assigning the context pointer is removed, allowing the LSM to populate
  the context buffer correctly, avoinding the NULL pointer dereference
- In ceph_security_init_secctx(), add the missing encoding of the xattr name
  and it's length to the pagelist

[ Test Plan ]

The issue can be reproduced (before) and the fix tested (after) following the
steps below:

$ sudo snap install microceph
$ sudo microceph cluster bootstrap
$ sudo microceph.ceph osd crush rule rm replicated_rule
$ sudo microceph.ceph osd crush rule create-replicated single default osd
$ sudo microceph disk add /dev/sdb --wipe
$ sudo microceph.ceph config set global osd_pool_default_size 1
$ sudo microceph.ceph osd pool create cephfs_metadata 8
$ sudo microceph.ceph osd pool create cephfs_data 8
$ sudo microceph.ceph fs new cephfs cephfs_metadata cephfs_data
$ sudo apt install selinux-basics selinux-policy-default -y && sudo selinux-
activate
$ sudo reboot

$ sudo mkdir -p /mnt/cephfs
$ sudo microceph.ceph auth get-or-create client.admin mon 'allow *' mds 'allow
*' osd 'allow *' mgr 'allow *'
$ sudo mount -t ceph $(hostname -I | awk '{print $1}'):6789:/ /mnt/cephfs -o
name=admin,secret=
$ sudo touch /mnt/cephfs/test.txt
$ ll /mnt/cephfs/

[ Regression Potential ]

This fix modifies how SELinux provides security context data
to the CephFS client and how that data is encoded for transmission.
A regression could cause incorrect xattr encoding,
resulting in file creation failures (EPERM or EIO) or LSM labeling errors.
If the context pointer is mishandled, memory corruption or crashes may occur.
Additionally, malformed pagelist encoding could cause client-MDS
protocol mismatches.

More information about the kernel-team mailing list