Linux Kernel libceph Component Use-After-Free Vulnerability in Monmap and OSD Map Handling

A use-after-free vulnerability has been identified in the libceph component of the Linux kernel, specifically in the management of monmap and OSD map data. This issue arises in the '__ceph_open_session()' function, where the client may receive a new monmap or OSD map shortly after the initial one, leading to a race condition. The problem occurs because the old map is freed before the new one is fully installed, creating a window where the code can dereference a freed memory area. This vulnerability is reproducible with certain generic test cases when Kernel Address Sanitizer (KASAN) is enabled, resulting in a slab-use-after-free error.

Impact

Exploitation of this vulnerability can lead to a use-after-free condition, causing memory corruption issues that could be exploited to execute arbitrary code or cause a denial-of-service situation by crashing the system.

Reproduction

The vulnerability can be reproduced by mounting a Ceph file system with KASAN enabled. After the initial monmap and OSD map are received, a new map can be introduced, which races with the waiting loop in '__ceph_open_session()'. This timing issue allows the condition that checks for the presence of valid maps to dereference an already freed map, triggering the use-after-free vulnerability. The issue can be observed in the Linux kernel's stable branch, specifically in version 6.14.0-rc2-build2+.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been addressed. Instructions for upgrading can be found in the official Linux kernel documentation.