cve/published/2025/CVE-2025-21737.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-21737: ceph: fix memory leak in ceph_mds_auth_match()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 ceph: fix memory leak in ceph_mds_auth_match()

 We now free the temporary target path substring allocation on every
 possible branch, instead of omitting the default branch.  In some
 cases, a memory leak occured, which could rapidly crash the system
 (depending on how many file accesses were attempted).

 This was detected in production because it caused a continuous memory
 growth, eventually triggering kernel OOM and completely hard-locking
 the kernel.

 Relevant kmemleak stacktrace:

     unreferenced object 0xffff888131e69900 (size 128):
       comm "git", pid 66104, jiffies 4295435999
       hex dump (first 32 bytes):
         76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65  volumes/containe
         72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67  rs/gitea/gitea/g
       backtrace (crc 2f3bb450):
         [<ffffffffaa68fb49>] __kmalloc_noprof+0x359/0x510
         [<ffffffffc32bf1df>] ceph_mds_check_access+0x5bf/0x14e0 [ceph]
         [<ffffffffc3235722>] ceph_open+0x312/0xd80 [ceph]
         [<ffffffffaa7dd786>] do_dentry_open+0x456/0x1120
         [<ffffffffaa7e3729>] vfs_open+0x79/0x360
         [<ffffffffaa832875>] path_openat+0x1de5/0x4390
         [<ffffffffaa834fcc>] do_filp_open+0x19c/0x3c0
         [<ffffffffaa7e44a1>] do_sys_openat2+0x141/0x180
         [<ffffffffaa7e4945>] __x64_sys_open+0xe5/0x1a0
         [<ffffffffac2cc2f7>] do_syscall_64+0xb7/0x210
         [<ffffffffac400130>] entry_SYSCALL_64_after_hwframe+0x77/0x7f

 It can be triggered by mouting a subdirectory of a CephFS filesystem,
 and then trying to access files on this subdirectory with an auth token
 using a path-scoped capability:

     $ ceph auth get client.services
     [client.services]
             key = REDACTED
             caps mds = "allow rw fsname=cephfs path=/volumes/"
             caps mon = "allow r fsname=cephfs"
             caps osd = "allow rw tag cephfs data=cephfs"

     $ cat /proc/self/mounts
     services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=<hidden>,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0

     $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \
     seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}

 [ idryomov: combine if statements, rename rc to path_matched and make
             it a bool, formatting ]

 The Linux kernel CVE team has assigned CVE-2025-21737 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.10 with commit 596afb0b8933ba6ed7227adcc538db26feb25c74 and fixed in 6.12.14 with commit 146109fe936ac07f8f60cd6267543688985b96bc
 	Issue introduced in 6.10 with commit 596afb0b8933ba6ed7227adcc538db26feb25c74 and fixed in 6.13.3 with commit 2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7
 	Issue introduced in 6.10 with commit 596afb0b8933ba6ed7227adcc538db26feb25c74 and fixed in 6.14 with commit 3b7d93db450e9d8ead80d75e2a303248f1528c35

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-21737
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	fs/ceph/mds_client.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/146109fe936ac07f8f60cd6267543688985b96bc
 	https://git.kernel.org/stable/c/2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7
 	https://git.kernel.org/stable/c/3b7d93db450e9d8ead80d75e2a303248f1528c35
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-21737: ceph: fix memory leak in ceph_mds_auth_match()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	ceph: fix memory leak in ceph_mds_auth_match()

	We now free the temporary target path substring allocation on every
	possible branch, instead of omitting the default branch. In some
	cases, a memory leak occured, which could rapidly crash the system
	(depending on how many file accesses were attempted).

	This was detected in production because it caused a continuous memory
	growth, eventually triggering kernel OOM and completely hard-locking
	the kernel.

	Relevant kmemleak stacktrace:

	unreferenced object 0xffff888131e69900 (size 128):
	comm "git", pid 66104, jiffies 4295435999
	hex dump (first 32 bytes):
	76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe
	72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g
	backtrace (crc 2f3bb450):
	[<ffffffffaa68fb49>] __kmalloc_noprof+0x359/0x510
	[<ffffffffc32bf1df>] ceph_mds_check_access+0x5bf/0x14e0 [ceph]
	[<ffffffffc3235722>] ceph_open+0x312/0xd80 [ceph]
	[<ffffffffaa7dd786>] do_dentry_open+0x456/0x1120
	[<ffffffffaa7e3729>] vfs_open+0x79/0x360
	[<ffffffffaa832875>] path_openat+0x1de5/0x4390
	[<ffffffffaa834fcc>] do_filp_open+0x19c/0x3c0
	[<ffffffffaa7e44a1>] do_sys_openat2+0x141/0x180
	[<ffffffffaa7e4945>] __x64_sys_open+0xe5/0x1a0
	[<ffffffffac2cc2f7>] do_syscall_64+0xb7/0x210
	[<ffffffffac400130>] entry_SYSCALL_64_after_hwframe+0x77/0x7f

	It can be triggered by mouting a subdirectory of a CephFS filesystem,
	and then trying to access files on this subdirectory with an auth token
	using a path-scoped capability:

	$ ceph auth get client.services
	[client.services]
	key = REDACTED
	caps mds = "allow rw fsname=cephfs path=/volumes/"
	caps mon = "allow r fsname=cephfs"
	caps osd = "allow rw tag cephfs data=cephfs"

	$ cat /proc/self/mounts
	services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=<hidden>,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0

	$ seq 1 1000000 \| xargs -P32 --replace={} touch /ceph/containers/file-{} && \
	seq 1 1000000 \| xargs -P32 --replace={} cat /ceph/containers/file-{}

	[ idryomov: combine if statements, rename rc to path_matched and make
	it a bool, formatting ]

	The Linux kernel CVE team has assigned CVE-2025-21737 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.10 with commit 596afb0b8933ba6ed7227adcc538db26feb25c74 and fixed in 6.12.14 with commit 146109fe936ac07f8f60cd6267543688985b96bc
	Issue introduced in 6.10 with commit 596afb0b8933ba6ed7227adcc538db26feb25c74 and fixed in 6.13.3 with commit 2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7
	Issue introduced in 6.10 with commit 596afb0b8933ba6ed7227adcc538db26feb25c74 and fixed in 6.14 with commit 3b7d93db450e9d8ead80d75e2a303248f1528c35

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-21737
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	fs/ceph/mds_client.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/146109fe936ac07f8f60cd6267543688985b96bc
	https://git.kernel.org/stable/c/2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7
	https://git.kernel.org/stable/c/3b7d93db450e9d8ead80d75e2a303248f1528c35