ceph AuthDone Buffer Overflow

Vulnerability analysis

Root Cause: The handle_auth_done() function in the Ceph messenger v2 protocol implementation fails to validate that the received payload_len value does not exceed the remaining buffer size before attempting to access the payload data. After decoding the payload_len field from the network message, the code proceeds to use this value in subsequent operations without ensuring sufficient data is available in the buffer.

Attack Surface: This vulnerability affects network-facing Ceph storage clusters that use the msgr2.1 protocol for authentication. An attacker with network access to the Ceph cluster could send malformed authentication messages with crafted payload_len values to trigger out-of-bounds reads. The attack requires network connectivity to Ceph monitor or OSD services but does not require authentication since it occurs during the authentication handshake phase.

Fix Mechanism: The patch adds a bounds check using ceph_decode_need() macro immediately after decoding payload_len. This macro verifies that at least payload_len bytes remain in the buffer between the current position (p) and the end marker (end). If insufficient data is available, the macro triggers a 'bad' label jump, preventing the out-of-bounds access.