Linux Kernel Ceph File System Off-by-One Error Vulnerability Leading to Kernel Panic

An off-by-one error vulnerability has been identified in the Linux kernel's Ceph file system implementation, specifically in versions 6.18.16, 6.19.6, and 7.0-rc1. The issue arises in the 'move_dirty_folio_in_page_array()' function, which may fail under certain conditions when handling encrypted files. If the function fails to allocate a bounce buffer for the ciphertext, 'ceph_process_folio_batch()' will redirty the folio and flush the current batch, potentially leading to a mismatch in the 'num_ops' count. This discrepancy can cause 'ceph_submit_write()' to panic the kernel, as it expects an accurate reflection of the number of contiguous write ranges. The vulnerability can be reproduced by writing to fscrypt-enabled CephFS files while increasing memory pressure until a buffer allocation fails.

Impact

Exploiting this vulnerability causes a kernel panic, disrupting system operations and potentially leading to a denial of service.

Reproduction

To reproduce this vulnerability, write to fscrypt-enabled CephFS files using a pattern of 4KiB written, followed by 4KiB skipped, and repeat. Gradually increase the system's memory pressure until a bounce buffer allocation fails, which will trigger the off-by-one error and cause a kernel panic.

Remediation

Users can apply the patch included in the official Linux kernel stable releases to address this vulnerability.