From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 302283EF67D for ; Fri, 8 May 2026 14:24:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250262; cv=none; b=s6RMPABAVvk1ld2fMfPx9cT5Y1//VxmI9PzHVO/1Q9Cal1F3oDBiVvTHBNX5Y8J04p4kKSIwyuBcpk0Np65bysLZSo+iPBNA4Jnl4e/pwdhGE+VvqQNouYUeC8I/bWsSFwxFOPejwNAqmClUhzetip2BFwKtZ86R5je4fjYmrtg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778250262; c=relaxed/simple; bh=ELo/Q7BS1Rv8tKWNdbro06Uy7FZE3Agr755SrXk0hqU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=aiHIQBDCS7zAwUmX876clbez37bt6f4dfEp2DLlLgVkK4LyDB7h9PA07pRFQ33dEw2HzF0P5uHEZj6cmKlzaI9PrU+fdHXC+zz6hL8Tgz43RErbDlP3tsy30nichCAF3pfovcQDp+AwhXWjP8thJmb0MBRZs2252jHeRkg4RqbQ= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=KuRuKSel; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="KuRuKSel" Received: by smtp.kernel.org (Postfix) with ESMTPSA id B9CFBC2BCB0; Fri, 8 May 2026 14:24:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1778250262; bh=ELo/Q7BS1Rv8tKWNdbro06Uy7FZE3Agr755SrXk0hqU=; h=From:To:Cc:Subject:Date:Reply-To:From; b=KuRuKSelg4HM/lzqW0ONVBoA1o688fLtod9/K6rmamv5V4LS111q09WVIAKnzfvI0 kK8+NpvDpu4mirggSUTOZyYqh3/ncAgeYbF+OvqCDkDEO5/KVuD/wDU2qFQArxd+yF Td47PLmL83pmp9Enz8L/rwXt3k/rEOwVenVZN5+k= From: Greg Kroah-Hartman To: linux-cve-announce@vger.kernel.org Cc: Greg Kroah-Hartman Subject: CVE-2026-43407: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() Date: Fri, 8 May 2026 16:22:16 +0200 Message-ID: <2026050842-CVE-2026-43407-d1e9@gregkh> X-Mailer: git-send-email 2.54.0 Reply-To: , Precedence: bulk X-Mailing-List: linux-cve-announce@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=5617; i=gregkh@linuxfoundation.org; h=from:subject:message-id; bh=YgrM7W0bAF3Sweb4DGe359S1wtZIna0gWAfPSIKLvk4=; b=owGbwMvMwCRo6H6F97bub03G02pJDJl/P5Z9PsJRxKZSvzXAZknY7ehzz19vnm6tp6nFGyj57 reK2SLDjlgWBkEmBlkxRZYv23iO7q84pOhlaHsaZg4rE8gQBi5OAZiI0QGGBdsFJy55e3gGC8fe NV+uWYrGdiUXazDMD7snHqC0jD+uXp3JMvDN55YoQ0E1AA== X-Developer-Key: i=gregkh@linuxfoundation.org; a=openpgp; fpr=F4B60CC5BF78C2214A313DCB3147D40DDB2DFB29 Content-Transfer-Encoding: 8bit From: Greg Kroah-Hartman Description =========== In the Linux kernel, the following vulnerability has been resolved: libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply() This patch fixes an out-of-bounds access in ceph_handle_auth_reply() that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In ceph_handle_auth_reply(), the value of the payload_len field of such a message is stored in a variable of type int. A value greater than INT_MAX leads to an integer overflow and is interpreted as a negative value. This leads to decrementing the pointer address by this value and subsequently accessing it because ceph_decode_need() only checks that the memory access does not exceed the end address of the allocation. This patch fixes the issue by changing the data type of payload_len to u32. Additionally, the data type of result_msg_len is changed to u32, as it is also a variable holding a non-negative length. Also, an additional layer of sanity checks is introduced, ensuring that directly after reading it from the message, payload_len and result_msg_len are not greater than the overall segment length. BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph] Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262 CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary) Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Workqueue: ceph-msgr ceph_con_workfn [libceph] Call Trace: dump_stack_lvl+0x76/0xa0 print_report+0xd1/0x620 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? kasan_complete_mode_report_info+0x72/0x210 kasan_report+0xe7/0x130 ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] ? ceph_handle_auth_reply+0x642/0x7a0 [libceph] __asan_report_load_n_noabort+0xf/0x20 ceph_handle_auth_reply+0x642/0x7a0 [libceph] mon_dispatch+0x973/0x23d0 [libceph] ? apparmor_socket_recvmsg+0x6b/0xa0 ? __pfx_mon_dispatch+0x10/0x10 [libceph] ? __kasan_check_write+0x14/0x30i ? mutex_unlock+0x7f/0xd0 ? __pfx_mutex_unlock+0x10/0x10 ? __pfx_do_recvmsg+0x10/0x10 [libceph] ceph_con_process_message+0x1f1/0x650 [libceph] process_message+0x1e/0x450 [libceph] ceph_con_v2_try_read+0x2e48/0x6c80 [libceph] ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph] ? save_fpregs_to_fpstate+0xb0/0x230 ? raw_spin_rq_unlock+0x17/0xa0 ? finish_task_switch.isra.0+0x13b/0x760 ? __switch_to+0x385/0xda0 ? __kasan_check_write+0x14/0x30 ? mutex_lock+0x8d/0xe0 ? __pfx_mutex_lock+0x10/0x10 ceph_con_workfn+0x248/0x10c0 [libceph] process_one_work+0x629/0xf80 ? __kasan_check_write+0x14/0x30 worker_thread+0x87f/0x1570 ? __pfx__raw_spin_lock_irqsave+0x10/0x10 ? __pfx_try_to_wake_up+0x10/0x10 ? kasan_print_address_stack_frame+0x1f7/0x280 ? __pfx_worker_thread+0x10/0x10 kthread+0x396/0x830 ? __pfx__raw_spin_lock_irq+0x10/0x10 ? __pfx_kthread+0x10/0x10 ? __kasan_check_write+0x14/0x30 ? recalc_sigpending+0x180/0x210 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x3f7/0x610 ? __pfx_ret_from_fork+0x10/0x10 ? __switch_to+0x385/0xda0 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 [ idryomov: replace if statements with ceph_decode_need() for payload_len and result_msg_len ] The Linux kernel CVE team has assigned CVE-2026-43407 to this issue. Affected and fixed versions =========================== Fixed in 5.10.253 with commit ea080b21092590122c3f971cf588932cdbf47847 Fixed in 5.15.203 with commit edc678e5cd11730a2834b43071d8923f05bc334d Fixed in 6.1.167 with commit 6cee34d6669fe176b4259131adb1a145c939b472 Fixed in 6.6.130 with commit 8bb87547e92dcf0928ed763c60e0ac8d733c3656 Fixed in 6.12.78 with commit ed024d2f4c79c0eb2464df0fb640610ac301f9a0 Fixed in 6.18.19 with commit f9da5c1bbac5c8e33259fe00ed7347438fffa969 Fixed in 6.19.9 with commit 9f9e2297f45fc2d2524eb104c289d69ddef95665 Fixed in 7.0 with commit b282c43ed156ae15ea76748fc15cd5c39dc9ab72 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2026-43407 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: net/ceph/auth.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/ea080b21092590122c3f971cf588932cdbf47847 https://git.kernel.org/stable/c/edc678e5cd11730a2834b43071d8923f05bc334d https://git.kernel.org/stable/c/6cee34d6669fe176b4259131adb1a145c939b472 https://git.kernel.org/stable/c/8bb87547e92dcf0928ed763c60e0ac8d733c3656 https://git.kernel.org/stable/c/ed024d2f4c79c0eb2464df0fb640610ac301f9a0 https://git.kernel.org/stable/c/f9da5c1bbac5c8e33259fe00ed7347438fffa969 https://git.kernel.org/stable/c/9f9e2297f45fc2d2524eb104c289d69ddef95665 https://git.kernel.org/stable/c/b282c43ed156ae15ea76748fc15cd5c39dc9ab72