Linux Kernel Ceph Path Information Initialization Vulnerability

A vulnerability exists in the Ceph file system implementation of the Linux kernel, specifically within the 'ceph_mdsc_build_path' function. This function must be provided with a zero-initialized 'ceph_path_info' parameter; otherwise, it can lead to a crash when 'ceph_mdsc_free_path_info' is called. This issue was observed in Linux kernel version 6.18.12, where the improper initialization caused a kernel crash due to a memory management error. Some callers of 'ceph_mdsc_build_path' correctly initialized the 'ceph_path_info' structure, but others did not, leaving them vulnerable to random crashes. This flaw could potentially be exploited to elevate privileges, although such an exploit has not been documented.

Impact

Failing to properly initialize the 'ceph_path_info' structure can lead to memory management errors, causing crashes. However, this vulnerability could also be exploited to elevate privileges.

Reproduction

The vulnerability can be reproduced by calling 'ceph_mdsc_build_path' without initializing the 'ceph_path_info' parameter, followed by a call to 'ceph_mdsc_free_path_info'. This sequence will trigger a crash due to the improper handling of the uninitialized data.

Remediation

The vulnerability has been addressed by adding the necessary initializations to all callers of 'ceph_mdsc_build_path'. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.