CVE-2026-43407

*** Pendiente de traducción *** In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> libceph: Fix potential out-of-bounds access in ceph_handle_auth_reply()<br /> <br /> This patch fixes an out-of-bounds access in ceph_handle_auth_reply()<br /> that can be triggered by a message of type CEPH_MSG_AUTH_REPLY. In<br /> ceph_handle_auth_reply(), the value of the payload_len field of such a<br /> message is stored in a variable of type int. A value greater than<br /> INT_MAX leads to an integer overflow and is interpreted as a negative<br /> value. This leads to decrementing the pointer address by this value and<br /> subsequently accessing it because ceph_decode_need() only checks that<br /> the memory access does not exceed the end address of the allocation.<br /> <br /> This patch fixes the issue by changing the data type of payload_len to<br /> u32. Additionally, the data type of result_msg_len is changed to u32,<br /> as it is also a variable holding a non-negative length.<br /> <br /> Also, an additional layer of sanity checks is introduced, ensuring that<br /> directly after reading it from the message, payload_len and<br /> result_msg_len are not greater than the overall segment length.<br /> <br /> BUG: KASAN: slab-out-of-bounds in ceph_handle_auth_reply+0x642/0x7a0 [libceph]<br /> Read of size 4 at addr ffff88811404df14 by task kworker/20:1/262<br /> <br /> CPU: 20 UID: 0 PID: 262 Comm: kworker/20:1 Not tainted 6.19.2 #5 PREEMPT(voluntary)<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> Workqueue: ceph-msgr ceph_con_workfn [libceph]<br /> Call Trace:<br /> <br /> dump_stack_lvl+0x76/0xa0<br /> print_report+0xd1/0x620<br /> ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> ? kasan_complete_mode_report_info+0x72/0x210<br /> kasan_report+0xe7/0x130<br /> ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]<br /> ? ceph_handle_auth_reply+0x642/0x7a0 [libceph]<br /> __asan_report_load_n_noabort+0xf/0x20<br /> ceph_handle_auth_reply+0x642/0x7a0 [libceph]<br /> mon_dispatch+0x973/0x23d0 [libceph]<br /> ? apparmor_socket_recvmsg+0x6b/0xa0<br /> ? __pfx_mon_dispatch+0x10/0x10 [libceph]<br /> ? __kasan_check_write+0x14/0x30i<br /> ? mutex_unlock+0x7f/0xd0<br /> ? __pfx_mutex_unlock+0x10/0x10<br /> ? __pfx_do_recvmsg+0x10/0x10 [libceph]<br /> ceph_con_process_message+0x1f1/0x650 [libceph]<br /> process_message+0x1e/0x450 [libceph]<br /> ceph_con_v2_try_read+0x2e48/0x6c80 [libceph]<br /> ? __pfx_ceph_con_v2_try_read+0x10/0x10 [libceph]<br /> ? save_fpregs_to_fpstate+0xb0/0x230<br /> ? raw_spin_rq_unlock+0x17/0xa0<br /> ? finish_task_switch.isra.0+0x13b/0x760<br /> ? __switch_to+0x385/0xda0<br /> ? __kasan_check_write+0x14/0x30<br /> ? mutex_lock+0x8d/0xe0<br /> ? __pfx_mutex_lock+0x10/0x10<br /> ceph_con_workfn+0x248/0x10c0 [libceph]<br /> process_one_work+0x629/0xf80<br /> ? __kasan_check_write+0x14/0x30<br /> worker_thread+0x87f/0x1570<br /> ? __pfx__raw_spin_lock_irqsave+0x10/0x10<br /> ? __pfx_try_to_wake_up+0x10/0x10<br /> ? kasan_print_address_stack_frame+0x1f7/0x280<br /> ? __pfx_worker_thread+0x10/0x10<br /> kthread+0x396/0x830<br /> ? __pfx__raw_spin_lock_irq+0x10/0x10<br /> ? __pfx_kthread+0x10/0x10<br /> ? __kasan_check_write+0x14/0x30<br /> ? recalc_sigpending+0x180/0x210<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork+0x3f7/0x610<br /> ? __pfx_ret_from_fork+0x10/0x10<br /> ? __switch_to+0x385/0xda0<br /> ? __pfx_kthread+0x10/0x10<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> [ idryomov: replace if statements with ceph_decode_need() for<br /> payload_len and result_msg_len ]