From: Viacheslav Dubeyko <slava@dubeyko.com>
To: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>,
Ilya Dryomov <idryomov@gmail.com>,
Alex Markuze <amarkuze@redhat.com>
Cc: security@kernel.org, ceph-devel@vger.kernel.org
Subject: Re: [PATCH] libceph: Fix multiplication overflow in __decode_pg_upmap_items()
Date: Wed, 13 May 2026 09:40:15 -0700 [thread overview]
Message-ID: <a9e24eba42be211967a5342550561250c5894dea.camel@dubeyko.com> (raw)
In-Reply-To: <20260513081425.1477060-1-raphael.zimmer@tu-ilmenau.de>
cc: ceph-devel@vger.kernel.org
On Wed, 2026-05-13 at 10:14 +0200, Raphael Zimmer wrote:
> A message of type CEPH_MSG_OSD_MAP holds an OSD map, which typically
> contains a pg_upmap part at its end. When decoding this part in
> __decode_pg_upmap_items(), a len value is decoded from the message to
> determine the number of items and the size of the allocation needed
> for
> them. If the len value is greater than or equal to 2^31, an overflow
> occurs in the multiplication that is performed to determine the
> needed
> size of the incoming buffer to decode, as well as for the length of
> the
> allocation for the ceph_pg_mapping struct. Subsequently, this results
> in
> out-of-bounds writes (and reads) when decoding the incoming message
> fields into the ceph_pg_mapping struct.
>
> This patch fixes the issue by adding a UL suffix to the literal in
> the
> multiplication to perform it as an unsigned long multiplication.
>
> Signed-off-by: Raphael Zimmer <raphael.zimmer@tu-ilmenau.de>
> ---
> net/ceph/osdmap.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ceph/osdmap.c b/net/ceph/osdmap.c
> index 8b5b0587a0cf..42b7b5300901 100644
> --- a/net/ceph/osdmap.c
> +++ b/net/ceph/osdmap.c
> @@ -1620,8 +1620,8 @@ static struct ceph_pg_mapping
> *__decode_pg_upmap_items(void **p, void *end,
> if ((size_t)len > (SIZE_MAX - sizeof(*pg)) / (2 *
> sizeof(u32)))
> return ERR_PTR(-EINVAL);
>
> - ceph_decode_need(p, end, 2 * len * sizeof(u32), e_inval);
> - pg = alloc_pg_mapping(2 * len * sizeof(u32));
> + ceph_decode_need(p, end, 2UL * len * sizeof(u32), e_inval);
> + pg = alloc_pg_mapping(2UL * len * sizeof(u32));
> if (!pg)
> return ERR_PTR(-ENOMEM);
>
next parent reply other threads:[~2026-05-13 16:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <8edcef9c-0b7c-46dc-8094-dc55b62567d3@tu-ilmenau.de>
[not found] ` <20260513081425.1477060-1-raphael.zimmer@tu-ilmenau.de>
2026-05-13 16:40 ` Viacheslav Dubeyko [this message]
2026-05-13 17:18 ` [PATCH] libceph: Fix multiplication overflow in __decode_pg_upmap_items() Viacheslav Dubeyko
2026-05-15 7:41 ` Raphael Zimmer
2026-05-15 18:40 ` Viacheslav Dubeyko
2026-05-13 16:40 ` [bug report] libceph: Multiplication overflow that leads to out-of-bounds writes " Viacheslav Dubeyko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a9e24eba42be211967a5342550561250c5894dea.camel@dubeyko.com \
--to=slava@dubeyko.com \
--cc=amarkuze@redhat.com \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=raphael.zimmer@tu-ilmenau.de \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox