linux/net/ceph
Ilya Dryomov a282a2f105 libceph: harden msgr2.1 frame segment length checks
ceph_frame_desc::fd_lens is an int array.  decode_preamble() thus
effectively casts u32 -> int but the checks for segment lengths are
written as if on unsigned values.  While reading in HELLO or one of the
AUTH frames (before authentication is completed), arithmetic in
head_onwire_len() can get duped by negative ctrl_len and produce
head_len which is less than CEPH_PREAMBLE_LEN but still positive.
This would lead to a buffer overrun in prepare_read_control() as the
preamble gets copied to the newly allocated buffer of size head_len.

Cc: stable@vger.kernel.org
Fixes: cd1a677cad ("libceph, ceph: implement msgr2.1 protocol (crc and secure modes)")
Reported-by: Thelford Williams <thelford@google.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
2023-07-13 13:18:57 +02:00
..
crush libceph: use swap() macro instead of taking tmp variable 2022-05-25 20:45:13 +02:00
armor.c
auth_none.c libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_none.h libceph: kill ceph_none_authorizer::reply_buf 2021-06-28 23:49:25 +02:00
auth_x_protocol.h libceph: fix some spelling mistakes 2021-06-28 23:49:25 +02:00
auth_x.c libceph: set global_id as soon as we get an auth ticket 2021-06-24 21:03:17 +02:00
auth_x.h
auth.c libceph: remove unnecessary ret variable in ceph_auth_init() 2021-06-28 23:49:25 +02:00
buffer.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
ceph_common.c libceph: optionally use bounce buffer on recv path in crc mode 2022-02-02 18:50:36 +01:00
ceph_hash.c
ceph_strings.c libceph: introduce connection modes and ms_mode option 2020-12-14 23:21:50 +01:00
cls_lock_client.c libceph: fix doc warnings in cls_lock_client.c 2021-06-28 23:49:25 +02:00
crypto.c mm: allow !GFP_KERNEL allocations for kvmalloc 2022-01-15 16:30:29 +02:00
crypto.h libceph, ceph: incorporate nautilus cephx changes 2020-12-14 23:21:50 +01:00
debugfs.c
decode.c libceph: allow addrvecs with a single NONE/blank address 2021-05-04 16:06:15 +02:00
Kconfig libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
Makefile libceph, ceph: implement msgr2.1 protocol (crc and secure modes) 2020-12-14 23:21:50 +01:00
messenger_v1.c libceph: Partially revert changes to support MSG_SPLICE_PAGES 2023-06-27 09:32:40 -07:00
messenger_v2.c libceph: harden msgr2.1 frame segment length checks 2023-07-13 13:18:57 +02:00
messenger.c net/sock: Introduce trace_sk_data_ready() 2023-01-23 11:26:50 +00:00
mon_client.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
msgpool.c
osd_client.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
osdmap.c libceph: print fsid and epoch with osd id 2022-08-03 00:54:12 +02:00
pagelist.c libceph: fix ceph_pagelist_reserve() comment typo 2022-08-03 00:54:13 +02:00
pagevec.c
snapshot.c
string_table.c
striper.c