From: Viacheslav Dubeyko <slava@dubeyko.com>
To: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>,
Ilya Dryomov <idryomov@gmail.com>,
Alex Markuze <amarkuze@redhat.com>
Cc: security@kernel.org, ceph-devel@vger.kernel.org
Subject: Re: [PATCH] libceph: Fix multiplication overflow in __decode_pg_upmap_items()
Date: Wed, 13 May 2026 09:40:15 -0700 [thread overview]
Message-ID: <a9e24eba42be211967a5342550561250c5894dea.camel@dubeyko.com> (raw)
In-Reply-To: <20260513081425.1477060-1-raphael.zimmer@tu-ilmenau.de>
cc: ceph-devel@vger.kernel.org
On Wed, 2026-05-13 at 10:14 +0200, Raphael Zimmer wrote:
> A message of type CEPH_MSG_OSD_MAP holds an OSD map, which typically
> contains a pg_upmap part at its end. When decoding this part in
> __decode_pg_upmap_items(), a len value is decoded from the message to
> determine the number of items and the size of the allocation needed
> for
> them. If the len value is greater than or equal to 2^31, an overflow
> occurs in the multiplication that is performed to determine the
> needed
> size of the incoming buffer to decode, as well as for the length of
> the
> allocation for the ceph_pg_mapping struct. Subsequently, this results
> in
> out-of-bounds writes (and reads) when decoding the incoming message
> fields into the ceph_pg_mapping struct.
>
> This patch fixes the issue by adding a UL suffix to the literal in
> the
> multiplication to perform it as an unsigned long multiplication.
>
> Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
> ---
> net/ceph/osdmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
> index 8b5b0587a0cf..42b7b5300901 100644
> --- a/net/ceph/osdmap.c
> +++ b/net/ceph/osdmap.c
> @@ -1620,8 +1620,8 @@ static struct ceph_pg_mapping
> *__decode_pg_upmap_items(void **p, void *end,
> if ((size_t)len > (SIZE_MAX - sizeof(*pg)) / (2 *
> sizeof(u32)))
> return ERR_PTR(-EINVAL);
>
> - ceph_decode_need(p, end, 2 * len * sizeof(u32), e_inval);
> - pg = alloc_pg_mapping(2 * len * sizeof(u32));
> + ceph_decode_need(p, end, 2UL * len * sizeof(u32), e_inval);
> + pg = alloc_pg_mapping(2UL * len * sizeof(u32));
> if (!pg)
> return ERR_PTR(-ENOMEM);
>
next parent reply other threads:[~2026-05-13 16:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8edcef9c-0b7c-46dc-8094-dc55b62567d3@tu-ilmenau.de>
[not found] ` <20260513081425.1477060-1-raphael.zimmer@tu-ilmenau.de>
2026-05-13 16:40 ` Viacheslav Dubeyko [this message]
2026-05-13 17:18 ` [PATCH] libceph: Fix multiplication overflow in __decode_pg_upmap_items() Viacheslav Dubeyko
2026-05-15 7:41 ` Raphael Zimmer
2026-05-15 18:40 ` Viacheslav Dubeyko
2026-05-13 16:40 ` [bug report] libceph: Multiplication overflow that leads to out-of-bounds writes " Viacheslav Dubeyko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9e24eba42be211967a5342550561250c5894dea.camel@dubeyko.com \
--to=slava@dubeyko.com \
--cc=amarkuze@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=raphael.zimmer@tu-ilmenau.de \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.