CVE-2025-21737

{"id": "CVE-2025-21737", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2025-02-27T03:15:14.327", "references": [{"url": "https://git.kernel.org/stable/c/146109fe936ac07f8f60cd6267543688985b96bc", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/2b6086c5efe5c7bd6e0eb440d96c26ca0d20d9d7", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3b7d93db450e9d8ead80d75e2a303248f1528c35", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-401"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nceph: fix memory leak in ceph_mds_auth_match()\n\nWe now free the temporary target path substring allocation on every\npossible branch, instead of omitting the default branch. In some\ncases, a memory leak occured, which could rapidly crash the system\n(depending on how many file accesses were attempted).\n\nThis was detected in production because it caused a continuous memory\ngrowth, eventually triggering kernel OOM and completely hard-locking\nthe kernel.\n\nRelevant kmemleak stacktrace:\n\n unreferenced object 0xffff888131e69900 (size 128):\n comm \"git\", pid 66104, jiffies 4295435999\n hex dump (first 32 bytes):\n 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 volumes/containe\n 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g\n backtrace (crc 2f3bb450):\n [<ffffffffaa68fb49>] __kmalloc_noprof+0x359/0x510\n [<ffffffffc32bf1df>] ceph_mds_check_access+0x5bf/0x14e0 [ceph]\n [<ffffffffc3235722>] ceph_open+0x312/0xd80 [ceph]\n [<ffffffffaa7dd786>] do_dentry_open+0x456/0x1120\n [<ffffffffaa7e3729>] vfs_open+0x79/0x360\n [<ffffffffaa832875>] path_openat+0x1de5/0x4390\n [<ffffffffaa834fcc>] do_filp_open+0x19c/0x3c0\n [<ffffffffaa7e44a1>] do_sys_openat2+0x141/0x180\n [<ffffffffaa7e4945>] __x64_sys_open+0xe5/0x1a0\n [<ffffffffac2cc2f7>] do_syscall_64+0xb7/0x210\n [<ffffffffac400130>] entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nIt can be triggered by mouting a subdirectory of a CephFS filesystem,\nand then trying to access files on this subdirectory with an auth token\nusing a path-scoped capability:\n\n $ ceph auth get client.services\n [client.services]\n key = REDACTED\n caps mds = \"allow rw fsname=cephfs path=/volumes/\"\n caps mon = \"allow r fsname=cephfs\"\n caps osd = \"allow rw tag cephfs data=cephfs\"\n\n $ cat /proc/self/mounts\n services@[REDACTED].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=<hidden>,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTED]:3300,recover_session=clean 0 0\n\n $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} && \\\n seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{}\n\n[ idryomov: combine if statements, rename rc to path_matched and make\n it a bool, formatting ]"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: ceph: se corrige una p\u00e9rdida de memoria en ceph_mds_auth_match() Ahora liberamos la asignaci\u00f3n de subcadena de la ruta de destino temporal en cada rama posible, en lugar de omitir la rama predeterminada. En algunos casos, se produjo una p\u00e9rdida de memoria que pod\u00eda bloquear r\u00e1pidamente el sistema (seg\u00fan la cantidad de accesos a archivos que se intentaran). Esto se detect\u00f3 en producci\u00f3n porque provoc\u00f3 un crecimiento continuo de la memoria, lo que finalmente provoc\u00f3 un OOM del kernel y lo bloque\u00f3 por completo. Rastreo de pila de kmemleak relevante: objeto sin referencia 0xffff888131e69900 (tama\u00f1o 128): comm \"git\", pid 66104, jiffies 4295435999 volcado hexadecimal (primeros 32 bytes): 76 6f 6c 75 6d 65 73 2f 63 6f 6e 74 61 69 6e 65 vol\u00famenes/contenedores 72 73 2f 67 69 74 65 61 2f 67 69 74 65 61 2f 67 rs/gitea/gitea/g backtrace (crc 2f3bb450): [] __kmalloc_noprof+0x359/0x510 [] ceph_mds_check_access+0x5bf/0x14e0 [ceph] [] ceph_open+0x312/0xd80 [ceph] [] do_dentry_open+0x456/0x1120 [] vfs_open+0x79/0x360 [] path_openat+0x1de5/0x4390 [] do_filp_open+0x19c/0x3c0 [] do_sys_openat2+0x141/0x180 [] __x64_sys_open+0xe5/0x1a0 [] do_syscall_64+0xb7/0x210 [] entry_SYSCALL_64_after_hwframe+0x77/0x7f Se puede activar montando un subdirectorio de un sistema de archivos CephFS y luego intentando acceder a los archivos en este subdirectorio con un token de autenticaci\u00f3n usando una capacidad con alcance de ruta: $ ceph auth get client.services [client.services] key = REDACTED caps mds = \"allow rw fsname=cephfs path=/volumes/\" caps mon = \"allow r fsname=cephfs\" caps osd = \"allow rw tag cephfs data=cephfs\" $ cat /proc/self/mounts services@[REDACTADO].cephfs=/volumes/containers /ceph/containers ceph rw,noatime,name=services,secret=,ms_mode=prefer-crc,mount_timeout=300,acl,mon_addr=[REDACTADO]:3300,recover_session=clean 0 0 $ seq 1 1000000 | xargs -P32 --replace={} touch /ceph/containers/file-{} &amp;&amp; \\ seq 1 1000000 | xargs -P32 --replace={} cat /ceph/containers/file-{} [ idryomov: combinar instrucciones if, cambiar el nombre de rc a path_matched y convertirlo en un bool, formatear ]"}], "lastModified": "2025-03-06T12:21:35.360", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "39B6CD9F-15B4-4B45-976A-23B03B501740", "versionEndExcluding": "6.12.14", "versionStartIncluding": "6.10"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0E92CEE3-1FC3-4AFC-A513-DEDBA7414F00", "versionEndExcluding": "6.13.3", "versionStartIncluding": "6.13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}