ghsa-755w-2h7x-xvj6
Vulnerability from github
Published
2025-02-27 03:34
Modified
2025-03-06 12:30
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

ceph: fix memory leak in ceph_mds_auth_match()

We now free the temporary target path substring allocation on every possible branch, instead of omitting the default branch. In some cases, a memory leak occured, which could rapidly crash the system (depending on how many file accesses were attempted).

This was detected in production because it caused a continuous memory growth, eventually triggering kernel OOM and completely hard-locking the kernel.

Relevant kmemleak stacktrace:

unreferenced object 0xffff888131e69900 (size 128):
  comm "git", pid 66104, jiffies 4295435999
  hex dump (first 32 bytes):
    76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65  volumes/containe
    72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67  rs/gitea/gitea/g
  backtrace (crc 2f3bb450):
    [<ffffffffaa68fb49>] __kmalloc_noprof+0x359/0x510
    [<ffffffffc32bf1df>] ceph_mds_check_access+0x5bf/0x14e0 [ceph]
    [<ffffffffc3235722>] ceph_open+0x312/0xd80 [ceph]
    [<ffffffffaa7dd786>] do_dentry_open+0x456/0x1120
    [<ffffffffaa7e3729>] vfs_open+0x79/0x360
    [<ffffffffaa832875>] path_openat+0x1de5/0x4390
    [<ffffffffaa834fcc>] do_filp_open+0x19c/0x3c0
    [<ffffffffaa7e44a1>] do_sys_openat2+0x141/0x180
    [<ffffffffaa7e4945>] __x64_sys_open+0xe5/0x1a0
    [<ffffffffac2cc2f7>] do_syscall_64+0xb7/0x210
    [<ffffffffac400130>] entry_SYSCALL_64_after_hwframe+0x77/0x7f

It can be triggered by mouting a subdirectory of a CephFS filesystem, and then trying to access files on this subdirectory with an auth token using a path-scoped capability:

$ ceph auth get client.services
[client.services]
        key = REDACTED
        caps mds = "allow rw fsname=cephfs path=/volumes/"
        caps mon = "allow r fsname=cephfs"
        caps osd = "allow rw tag cephfs data=cephfs"

$ cat /proc/self/mounts
services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=<hidden>,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0

$ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \
seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}

[ idryomov: combine if statements, rename rc to path_matched and make it a bool, formatting ]

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2025-21737"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-02-27T03:15:14Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_mds_auth_match()\n\nWe now free the temporary target path substring allocation on every\npossible branch, instead of omitting the default branch.  In some\ncases, a memory leak occured, which could rapidly crash the system\n(depending on how many file accesses were attempted).\n\nThis was detected in production because it caused a continuous memory\ngrowth, eventually triggering kernel OOM and completely hard-locking\nthe kernel.\n\nRelevant kmemleak stacktrace:\n\n    unreferenced object 0xffff888131e69900 (size 128):\n      comm \"git\", pid 66104, jiffies 4295435999\n      hex dump (first 32 bytes):\n        76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65  volumes/containe\n        72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67  rs/gitea/gitea/g\n      backtrace (crc 2f3bb450):\n        [\u003cffffffffaa68fb49\u003e] __kmalloc_noprof+0x359/0x510\n        [\u003cffffffffc32bf1df\u003e] ceph_mds_check_access+0x5bf/0x14e0 [ceph]\n        [\u003cffffffffc3235722\u003e] ceph_open+0x312/0xd80 [ceph]\n        [\u003cffffffffaa7dd786\u003e] do_dentry_open+0x456/0x1120\n        [\u003cffffffffaa7e3729\u003e] vfs_open+0x79/0x360\n        [\u003cffffffffaa832875\u003e] path_openat+0x1de5/0x4390\n        [\u003cffffffffaa834fcc\u003e] do_filp_open+0x19c/0x3c0\n        [\u003cffffffffaa7e44a1\u003e] do_sys_openat2+0x141/0x180\n        [\u003cffffffffaa7e4945\u003e] __x64_sys_open+0xe5/0x1a0\n        [\u003cffffffffac2cc2f7\u003e] do_syscall_64+0xb7/0x210\n        [\u003cffffffffac400130\u003e] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIt can be triggered by mouting a subdirectory of a CephFS filesystem,\nand then trying to access files on this subdirectory with an auth token\nusing a path-scoped capability:\n\n    $ ceph auth get client.services\n    [client.services]\n            key = REDACTED\n            caps mds = \"allow rw fsname=cephfs path=/volumes/\"\n            caps mon = \"allow r fsname=cephfs\"\n            caps osd = \"allow rw tag cephfs data=cephfs\"\n\n    $ cat /proc/self/mounts\n    services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=\u003chidden\u003e,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0\n\n    $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} \u0026\u0026 \\\n    seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}\n\n[ idryomov: combine if statements, rename rc to path_matched and make\n            it a bool, formatting ]",
  "id": "GHSA-755w-2h7x-xvj6",
  "modified": "2025-03-06T12:30:41Z",
  "published": "2025-02-27T03:34:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-21737"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/146109fe936ac07f8f60cd6267543688985b96bc"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/3b7d93db450e9d8ead80d75e2a303248f1528c35"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.