Linux Kernel Ceph File System Invalid Pointer Vulnerability in Snapshot Directory Handling

A vulnerability in the Linux kernel's Ceph file system implementation can lead to a kernel oops error when accessing snapshot directories. This issue arises because the 'str' variable, which is supposed to be freed using kfree(), is incorrectly advanced by one to skip the initial underscore in snapshot names. As a result, kfree() is called with an invalid pointer, causing a kernel oops. The vulnerability can be reproduced by creating snapshots on a Ceph file system volume, mounting the volume, and then attempting to list the snapshots, which causes the system to hang indefinitely while logging the oops error.

Impact

Exploitation of this vulnerability causes a kernel oops, leading to a system hang and disruption of normal operations.

Reproduction

To reproduce this vulnerability, create snapshots on a Ceph file system volume. After creating the snapshots, add the Ceph file system mount to the system's fstab file. Reboot the system and verify that the volume is mounted. Once confirmed, attempt to list the snapshot directory. The 'ls' command will hang indefinitely, and the kernel log will show the oops error.

Remediation

Users can apply the patch available in the Linux kernel stable tree to address this vulnerability.