CVE CyberSecurity Database News

CVE-2022-49107 - Memory Leak in Linux Kernel `ceph_readdir` Explained (with Code, Exploit Details, and Fix)

Poster -

Date: June 2024
Category: Linux Kernel, Ceph, Memory Leak, CVE
Tags: CVE-2022-49107, Security, Kernel Bug, Exploit

What is CVE-2022-49107?

CVE-2022-49107 is a flaw found in the Linux Kernel, specifically concerning the Ceph distributed filesystem. The vulnerability involves a memory leak in the ceph_readdir function when the note_last_dentry function returns an error. This could potentially lead to system resource exhaustion, and, in certain contexts, a denial-of-service situation.

If your system uses Ceph with a vulnerable kernel version, or you run workloads on a shared host where others may try to exploit memory overuse, this vulnerability is relevant to you.

How Does The Vulnerability Happen?

The ceph_readdir function is responsible for reading directory entries in Ceph-backed filesystems, used in cloud and distributed storage solutions. During operation, it keeps track of the "last directory entry" (last_readdir). When it tries to log this last entry, if an error happens (note_last_dentry returns error), last_readdir is not properly freed (memory is not released).

Over repeated or malicious usage, this can cause a memory leak.

Problem Code (Before the Fix)

// Vulnerable code snippet (before patch)
if (note_last_dentry(ctx, last_readdir, last_readdir_hash)) {
    // error handling missing reset of last_readdir
    // last_readdir memory not freed!
    return -ENOMEM;
}

// ... more code ...

If note_last_dentry returns an error, the pointer last_readdir still holds allocated memory, but it will never be freed—thus leaking memory with each call.

Exploit Impact and Scenario

A user (or attacker) could repeatedly trigger directory reads in a way that solicits errors from note_last_dentry. Since each error leaks memory, this can be abused in a denial-of-service (DoS) attack.

For instance, on a multi-tenant system, a malicious user could cause kernel memory exhaustion by simply listing directories (using ls or similar commands) in a crafted way designed to hit the vulnerable code path.

(Not real-world, but illustrates the mechanism)

# Bash pseudo-exploit: endlessly ls a bad Ceph directory
while true; do
  ls /ceph-bad-dir/does-not-exist || true
done

If note_last_dentry is triggered and returns an error on this path, the repeated leak will eventually lead to memory exhaustion.

The Fix

The kernel patch resets and, when safe, frees the last_readdir structure at the right time, even if note_last_dentry returns an error. Also, a useful code comment was added to explain why sometimes the memory must not be freed—specifically when dir_emit() returns false (because the VFS still has a reference).

Fixed Code Snippet

if (note_last_dentry(ctx, last_readdir, last_readdir_hash)) {
    kfree(last_readdir); // now properly free the memory
    last_readdir = NULL; // reset pointer to avoid dangling
    last_readdir_hash = ;
    return -ENOMEM;
}

/* 
 * Do not free last_readdir if dir_emit returns false, 
 * because the VFS may still be using it.
 */

Summary of the change:

Where to Read More (References)

- Linux Kernel Patch Commit (lkml.org)
- CVE Details for CVE-2022-49107
- Ceph Filesystem Overview

Update

Apply the latest kernel updates for your distribution. Red Hat, Ubuntu, and others have released patched kernels.

Wrap-up

CVE-2022-49107 may not be easily exploitable in all environments, but in multi-user or cloud setups, it opens the door to denial-of-service through a subtle memory leak in the kernel's Ceph directory code.
The fix is small, clear, and easy to deploy: upgrade your kernel and stay safe!

Stay secure, stay patched!

*Want to go deeper? Check the code change here.*

Timeline

Published on: 02/26/2025 07:00:48 UTC
Last modified on: 03/13/2025 21:33:56 UTC