Linux Kernel Slab-Out-Of-Bounds Access Vulnerability in libceph Authentication Message Processing

A slab-out-of-bounds access vulnerability has been identified in the Linux kernel's libceph component, specifically in the handling of authentication messages. When a message of type CEPH_MSG_AUTH_REPLY contains a positive value in its result field, it is incorrectly interpreted as an error code. This leads to an out-of-bounds memory access when the value exceeds the allocated buffer size for the corresponding message segment. The vulnerability has been addressed by modifying the error handling to only consider negative values as errors, while positive values are now treated as successful responses. Additionally, a safeguard has been implemented to prevent messages from being sent if they exceed the allocated buffer size, making it easier to detect any logical errors that could lead to such an out-of-bounds condition.

Impact

Exploitation of this vulnerability causes a slab-out-of-bounds access, where memory beyond the allocated buffer is accessed and potentially leaked.

Reproduction

To reproduce this vulnerability, send a corrupted CEPH_MSG_AUTH_REPLY message with a positive value in the result field. The ceph_handle_auth_reply() function will treat this as an error and return it to handle_auth_reply(). This will trigger the sending of a CEPH_MSG_AUTH message, using the returned value as the size for the front segment. If the value exceeds the allocated buffer size, the out-of-bounds access occurs, leaking memory content beyond the buffer.

Remediation

Users can upgrade to the patched version of the Linux kernel available in the official Linux Git repository to address this vulnerability.