Linux Kernel libceph ceph_monmap_decode Function Signedness Vulnerability

A vulnerability exists in the Linux kernel's libceph component, specifically within the ceph_monmap_decode() function. The issue arises from the use of signed integer variables to represent non-negative values, leading to potential memory allocation problems. The variables blob_len and num_mon, currently defined as signed integers, are assigned values through a function intended for unsigned 32-bit integers. This misalignment allows for the possibility of interpreting large values as negative, bypassing crucial validation checks and causing excessive memory allocation attempts that are likely to fail. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to improper memory allocation, causing the system to return an out-of-memory error instead of a valid input error. This could disrupt normal operations and potentially be exploited to cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a ceph_monmap_decode() function a message with a large value for num_mon that exceeds CEPH_MAX_MON. The function will incorrectly interpret this value as negative, allowing it to bypass validation checks and trigger the vulnerability.

Remediation

Users can upgrade to the latest version of the Linux kernel stable tree, where this vulnerability has been addressed.