mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/net/ceph
History
Ilya Dryomov a282a2f105 libceph: harden msgr2.1 frame segment length checks 
ceph_frame_desc::fd_lens is an int array.  decode_preamble() thus
effectively casts u32 -> int but the checks for segment lengths are
written as if on unsigned values.  While reading in HELLO or one of the
AUTH frames (before authentication is completed), arithmetic in
head_onwire_len() can get duped by negative ctrl_len and produce
head_len which is less than CEPH_PREAMBLE_LEN but still positive.
This would lead to a buffer overrun in prepare_read_control() as the
preamble gets copied to the newly allocated buffer of size head_len.

Cc: stable@vger.kernel.org
Fixes: cd1a677cad ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Reported-by: Thelford Williams <thelford@google.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
 		2023-07-13 13:18:57 +02:00
..
crush libceph: use swap() macro instead of taking tmp variable 2022-05-25 20:45:13 +02:00
Kconfig libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
Makefile libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
armor.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
auth.c libceph: remove unnecessary ret variable in ceph_auth_init() 2021-06-28 23:49:25 +02:00
auth_none.c libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_none.h libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_x.c libceph: set global_id as soon as we get an auth ticket 2021-06-24 21:03:17 +02:00
auth_x.h ceph: fix whitespace 2018-08-02 21:33:21 +02:00
auth_x_protocol.h libceph: fix some spelling mistakes 2021-06-28 23:49:25 +02:00
buffer.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
ceph_common.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
ceph_hash.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
ceph_strings.c libceph: introduce connection modes and ms_mode option 2020-12-14 23:21:50 +01:00
cls_lock_client.c libceph: fix doc warnings in cls_lock_client.c 2021-06-28 23:49:25 +02:00
crypto.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
crypto.h libceph, ceph: incorporate nautilus cephx changes 2020-12-14 23:21:50 +01:00
debugfs.c libceph: dump class and method names on method calls 2020-08-03 11:03:01 +02:00
decode.c libceph: allow addrvecs with a single NONE/blank address 2021-05-04 16:06:15 +02:00
messenger.c net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
messenger_v1.c libceph: Partially revert changes to support MSG_SPLICE_PAGES 2023-06-27 09:32:40 -07:00
messenger_v2.c libceph: harden msgr2.1 frame segment length checks 2023-07-13 13:18:57 +02:00
mon_client.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
msgpool.c libceph: preallocate message data items 2018-10-22 10:28:22 +02:00
osd_client.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
osdmap.c libceph: print fsid and epoch with osd id 2022-08-03 00:54:12 +02:00
pagelist.c libceph: fix ceph_pagelist_reserve() comment typo 2022-08-03 00:54:13 +02:00
pagevec.c libceph: remove ceph_get_direct_page_vector() 2019-07-08 14:01:40 +02:00
snapshot.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 268 2019-06-05 17:30:29 +02:00
string_table.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
striper.c rbd: support for object-map and fast-diff 2019-07-08 14:01:45 +02:00