ACK: [SRU][F][PATCH 0/1] CVE-2024-26689

Andrei Gherzan andrei.gherzan at canonical.com
Mon Mar 24 08:59:18 UTC 2025 

On 25/03/14 12:23pm, Massimiliano Pellizzer wrote:
> https://ubuntu.com/security/CVE-2024-26689
> 
> [ Impact ]
> 
> ceph: prevent use-after-free in encode_cap_msg()
> 
> In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error was
> caught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. This
> implies before the refcount could be increment here, it was freed.
> 
> In same file, in "handle_cap_grant()" refcount is decremented by this
> line - 'ceph_buffer_put(ci->i_xattrs.blob);'. It appears that a race
> occurred and resource was freed by the latter line before the former
> line could increment it.
> 
> encode_cap_msg() is called by __send_cap() and __send_cap() is called by
> ceph_check_caps() after calling __prep_cap(). __prep_cap() is where
> arg->xattr_buf is assigned to ci->i_xattrs.blob. This is the spot where
> the refcount must be increased to prevent "use after free" error.
> 
> [ Fix ]
> 
> Oracular: Not affected
> Noble: Not affected
> Jammy: Fixed via upstream stable updates (LP: #2059014)
> Focal: Backported from mainline
> 
> [ Test Plan ]
> 
> Compile and boot tested.
> Stress tested a single node Ceph installation:
> $ sudo snap install microceph
> $ sudo microceph cluster bootstrap
> $ sudo microceph.ceph osd crush rule rm replicated_rule
> $ sudo microceph.ceph osd crush rule create-replicated single default osd
> $ sudo microceph disk add /dev/sdb --wipe
> $ sudo microceph.ceph config set global osd_pool_default_size 1
> $ sudo microceph.ceph osd pool create cephfs_metadata 8
> $ sudo microceph.ceph osd pool create cephfs_data 8
> $ sudo microceph.ceph fs new cephfs cephfs_metadata cephfs_data
> $ sudo microceph.ceph auth get-or-create client.admin mon 'allow *' mds 'allow *' osd 'allow *' mgr 'allow *'
> $ sudo mkdir -p /mnt/cephfs
> $ sudo mount -t ceph $(hostname -I | awk '{print $1}'):6789:/ /mnt/cephfs -o name=admin,secret=xxx
> $ mount
> ...
> 10.xx.xx.xx:6789:/ on /mnt/cephfs type ceph (rw,relatime,name=admin,secret=<hidden>,acl)
> $ cd /mnt/cephfs
> $ sudo stress-ng --hdd 8 --hdd-ops 500000 --timeout 5m --metrics-brief
> stress-ng: info:  [2826] dispatching hogs: 8 hdd
> stress-ng: info:  [2826] successful run completed in 31.34s
> $ sudo stress-ng --dir 8 --dir-ops 500000 --timeout 5m --metrics-brief
> stress-ng: info:  [2844] dispatching hogs: 8 dir
> stress-ng: info:  [2844] successful run completed in 168.83s (2 mins, 48.83 secs)
> $ sudo stress-ng --xattr 8 --xattr-ops 500000 --timeout 5m --metrics-brief
> stress-ng: info:  [2863] dispatching hogs: 8 xattr
> stress-ng: info:  [2863] successful run completed in 300.19s (5 mins, 0.19 secs)
> 
> [ Where Problems Could Occur ]
> 
> The fix affects the Ceph filesystem. An issue with this fix may lead
> to improper reference counting of extended attribute buffers.
> A user might experience problems such as filesystem inconsistencies,
> unexpected kernel crashes, data corruption, or failures when accessing
> or modifyinng files on Ceph.

Acked-by: Andrei Gherzan <andrei.gherzan at canonical.com>

-- 
Andrei Gherzan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20250324/8a120921/attachment-0001.sig>

More information about the kernel-team mailing list