CVE-2021-47000 – Patch Applied to Linux Kernel for Ceph's Inode Leak Found in __fh_to_dentry()

A vulnerability (CVE-2021-47000) affecting the Linux kernel was recently identified and a patch has been applied. The vulnerability was due to an inode leak within Ceph, specifically in the __fh_to_dentry function when gathering file attributes. An inode leak effectively occurs when a system does not release its inodes at the proper time, which could potentially lead to a degradation in the filesystem's performance, or even cause a full inode table. This blog post will explore the details of this vulnerability, discuss the potential exploit, provide a code snippet for reference, and share links to the original sources and patch details.

Exploit Details

Ceph is a distributed and highly available filesystem widely used in data center environments due to its enhanced scalability and flexibility. The __fh_to_dentry() function within Ceph is responsible for converting an NFS file handle to a dentry within the kernel. However, a problem arises when the getattr call within this function encounters an error. The correct behavior in this situation is to release the inode associated with the erroneous condition, but the vulnerability (CVE-2021-47000) exists since the inode is not properly released.

This inode leak could be potentially exploited by a malicious party to exhaust all inodes of the Ceph filesystem, ultimately causing a Denial of Service (DoS) attack. This would impose a significant burden on system resources and make the filesystem unavailable for legitimate users.

Code Snippet

The vulnerability (CVE-2021-47000) was resolved by the patch, which properly releases the inode within the __fh_to_dentry() function. See the code snippet below, which demonstrates the addition of the missing "iput()" call, ensuring the inode is properly released in cases where the getattr call encounters an error.

static struct dentry *__fh_to_dentry(struct super_block *sb, struct fid *fid,
+                    int fh_len, int fh_type, int (*acceptable)(void *, struct dentry *), void *context)
 {
         struct inode *inode;
         struct dentry *dentry;
 
         if (fh_len < 2 || (fh_type != CEPH_NFS_TYPE_INO &&
                            fh_type != CEPH_NFS_TYPE_ANY))
                 return ERR_PTR(-ESTALE);
 
         inode = ceph_find_inode(sb, ceph_ino(inode));
         if (!inode)
                 return ERR_PTR(-ESTALE);
         dentry = d_obtain_alias(inode);
         if (IS_ERR(dentry)) {
-                iput(inode);
                 return dentry;
         }
 
         if (!acceptable(context, dentry)) {
                 dput(dentry);
+                iput(inode);
                 return ERR_PTR(-ESTALE);
         }
 
         return dentry;
 }

Original References & Patch Details

This vulnerability (CVE-2021-47000) has been fixed with the patch that is now applied to the Linux kernel. For more information regarding this issue and the patch applied, please refer to the following links:

1. Linux Kernel Git commit – This contains the original GIT commit for the patch that resolves the vulnerability.
2. CVE-2021-47000 – MITRE Corporation's CVE details page, featuring the brief information of the vulnerability.

Conclusion

The inode leak (CVE-2021-47000) within the Linux kernel's Ceph implementation has been addressed and resolved with a patch. It is recommended to update your Linux kernel to incorporate this patch and secure your system against possible exploits. Staying up-to-date and vigilant in the face of security threats is essential to maintaining a secure and efficient filesystem, especially in environments where Ceph is widely used.

Timeline

Published on: 02/28/2024 09:15:38 UTC
Last modified on: 02/28/2024 14:06:45 UTC