Bug 2422801 (CVE-2025-68285)

Summary: CVE-2025-68285 kernel: libceph: fix potential use-after-free in have_mon_and_osd_map()
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: jsanemet
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A use-after-free vulnerability was found in the Ceph client session initialization in the Linux kernel. The have_mon_and_osd_map() function checks map epochs without holding the appropriate locks, racing with concurrent map updates that free the old map. This can result in dereferencing freed memory during CephFS or RBD mount operations.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-16 16:02:40 UTC 
In the Linux kernel, the following vulnerability has been resolved:

libceph: fix potential use-after-free in have_mon_and_osd_map()

The wait loop in __ceph_open_session() can race with the client
receiving a new monmap or osdmap shortly after the initial map is
received.  Both ceph_monc_handle_map() and handle_one_map() install
a new map immediately after freeing the old one

    kfree(monc->monmap);
    monc->monmap = monmap;

    ceph_osdmap_destroy(osdc->osdmap);
    osdc->osdmap = newmap;

under client->monc.mutex and client->osdc.lock respectively, but
because neither is taken in have_mon_and_osd_map() it's possible for
client->monc.monmap->epoch and client->osdc.osdmap->epoch arms in

    client->monc.monmap && client->monc.monmap->epoch &&
        client->osdc.osdmap && client->osdc.osdmap->epoch;

condition to dereference an already freed map.  This happens to be
reproducible with generic/395 and generic/397 with KASAN enabled:

    BUG: KASAN: slab-use-after-free in have_mon_and_osd_map+0x56/0x70
    Read of size 4 at addr ffff88811012d810 by task mount.ceph/13305
    CPU: 2 UID: 0 PID: 13305 Comm: mount.ceph Not tainted 6.14.0-rc2-build2+ #1266
    ...
    Call Trace:
    <TASK>
    have_mon_and_osd_map+0x56/0x70
    ceph_open_session+0x182/0x290
    ceph_get_tree+0x333/0x680
    vfs_get_tree+0x49/0x180
    do_new_mount+0x1a3/0x2d0
    path_mount+0x6dd/0x730
    do_mount+0x99/0xe0
    __do_sys_mount+0x141/0x180
    do_syscall_64+0x9f/0x100
    entry_SYSCALL_64_after_hwframe+0x76/0x7e
    </TASK>

    Allocated by task 13305:
    ceph_osdmap_alloc+0x16/0x130
    ceph_osdc_init+0x27a/0x4c0
    ceph_create_client+0x153/0x190
    create_fs_client+0x50/0x2a0
    ceph_get_tree+0xff/0x680
    vfs_get_tree+0x49/0x180
    do_new_mount+0x1a3/0x2d0
    path_mount+0x6dd/0x730
    do_mount+0x99/0xe0
    __do_sys_mount+0x141/0x180
    do_syscall_64+0x9f/0x100
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

    Freed by task 9475:
    kfree+0x212/0x290
    handle_one_map+0x23c/0x3b0
    ceph_osdc_handle_map+0x3c9/0x590
    mon_dispatch+0x655/0x6f0
    ceph_con_process_message+0xc3/0xe0
    ceph_con_v1_try_read+0x614/0x760
    ceph_con_workfn+0x2de/0x650
    process_one_work+0x486/0x7c0
    process_scheduled_works+0x73/0x90
    worker_thread+0x1c8/0x2a0
    kthread+0x2ec/0x300
    ret_from_fork+0x24/0x40
    ret_from_fork_asm+0x1a/0x30

Rewrite the wait loop to check the above condition directly with
client->monc.mutex and client->osdc.lock taken as appropriate.  While
at it, improve the timeout handling (previously mount_timeout could be
exceeded in case wait_event_interruptible_timeout() slept more than
once) and access client->auth_err under client->monc.mutex to match
how it's set in finish_auth().

monmap_show() and osdmap_show() now take the respective lock before
accessing the map as well.
Comment 1 Alexander B 2025-12-16 19:34:20 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025121638-CVE-2025-68285-8339@gregkh/T
Comment 4 errata-xmlrpc 2026-01-12 02:37:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0443 https://access.redhat.com/errata/RHSA-2026:0443
Comment 5 errata-xmlrpc 2026-01-12 03:27:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2026:0444 https://access.redhat.com/errata/RHSA-2026:0444
Comment 6 errata-xmlrpc 2026-01-13 09:28:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:0489 https://access.redhat.com/errata/RHSA-2026:0489
Comment 7 errata-xmlrpc 2026-01-14 00:07:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:0537 https://access.redhat.com/errata/RHSA-2026:0537
Comment 8 errata-xmlrpc 2026-01-14 00:09:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0534 https://access.redhat.com/errata/RHSA-2026:0534
Comment 9 errata-xmlrpc 2026-01-14 00:13:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2026:0533 https://access.redhat.com/errata/RHSA-2026:0533
Comment 10 errata-xmlrpc 2026-01-14 00:19:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2026:0536 https://access.redhat.com/errata/RHSA-2026:0536
Comment 11 errata-xmlrpc 2026-01-14 00:20:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2026:0532 https://access.redhat.com/errata/RHSA-2026:0532
Comment 12 errata-xmlrpc 2026-01-14 00:28:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:0535 https://access.redhat.com/errata/RHSA-2026:0535
Comment 13 errata-xmlrpc 2026-01-14 09:47:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:0576 https://access.redhat.com/errata/RHSA-2026:0576
Comment 14 errata-xmlrpc 2026-01-15 01:08:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2026:0643 https://access.redhat.com/errata/RHSA-2026:0643
Comment 16 errata-xmlrpc 2026-01-19 00:30:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10.0 Extended Update Support

Via RHSA-2026:0747 https://access.redhat.com/errata/RHSA-2026:0747
Comment 17 errata-xmlrpc 2026-01-19 01:15:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:0754 https://access.redhat.com/errata/RHSA-2026:0754
Comment 18 errata-xmlrpc 2026-01-19 01:32:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2026:0755 https://access.redhat.com/errata/RHSA-2026:0755
Comment 19 errata-xmlrpc 2026-01-19 09:25:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2026:0786 https://access.redhat.com/errata/RHSA-2026:0786
Comment 20 errata-xmlrpc 2026-01-19 11:41:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:0793 https://access.redhat.com/errata/RHSA-2026:0793
Comment 21 errata-xmlrpc 2026-01-19 13:14:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:0804 https://access.redhat.com/errata/RHSA-2026:0804
Comment 23 errata-xmlrpc 2026-02-03 18:34:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2026:1820 https://access.redhat.com/errata/RHSA-2026:1820
Comment 24 errata-xmlrpc 2026-02-05 13:42:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.6 Extended Update Support

Via RHSA-2026:2096 https://access.redhat.com/errata/RHSA-2026:2096
Comment 25 errata-xmlrpc 2026-02-05 13:58:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2026:2109 https://access.redhat.com/errata/RHSA-2026:2109
Comment 26 errata-xmlrpc 2026-02-05 14:05:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2026:2115 https://access.redhat.com/errata/RHSA-2026:2115
Comment 27 errata-xmlrpc 2026-02-05 15:05:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2026:2127 https://access.redhat.com/errata/RHSA-2026:2127