Linux Kernel libceph Out-of-Bounds Access Vulnerability in Authentication Reply Handling

A vulnerability in the Linux kernel's libceph component can lead to out-of-bounds memory access in the function ceph_handle_auth_reply(). This issue arises when a message of type CEPH_MSG_AUTH_REPLY is processed. The vulnerability is caused by the payload_len field, which is initially stored as an integer. If payload_len exceeds INT_MAX, it causes an integer overflow, misinterpreting the length as a negative value. This incorrect value is then used to decrement a pointer address, leading to unauthorized memory access. The problem is exacerbated because the function ceph_decode_need() only verifies that the memory access does not exceed the allocated segment's end, potentially allowing exploitation.

Impact

Exploitation of this vulnerability causes a heap-based buffer overflow, which can lead to arbitrary code execution.

Reproduction

To reproduce this vulnerability, send a CEPH_MSG_AUTH_REPLY message with a payload_len value that exceeds INT_MAX. This will trigger the integer overflow, causing ceph_handle_auth_reply() to incorrectly calculate the payload length and access memory out of bounds.

Remediation

The vulnerability has been addressed by changing the data type of payload_len and result_msg_len from int to u32, adding sanity checks to ensure these lengths do not exceed the overall segment length, and replacing direct length checks with the safer ceph_decode_need() function.