lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 4 Mar 2024 13:19:02 +0100
From: Christian Brauner <brauner@...nel.org>
To: Dominique Martinet <asmadeus@...ewreck.org>
Cc: xingwei lee <xrivendell7@...il.com>, linux-kernel@...r.kernel.org, 
	samsun1006219@...il.com, linux-fsdevel@...r.kernel.org, syzkaller@...glegroups.com, 
	jack@...e.cz, viro@...iv.linux.org.uk, Eric Van Hensbergen <ericvh@...nel.org>, 
	v9fs@...ts.linux.dev
Subject: Re: WARNING in vfs_getxattr_alloc

On Mon, Mar 04, 2024 at 09:11:23PM +0900, Dominique Martinet wrote:
> Christian Brauner wrote on Mon, Mar 04, 2024 at 12:50:12PM +0100:
> > > kernel: lastest linux 6.7.rc8 90d35da658da8cff0d4ecbb5113f5fac9d00eb72
> > > kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=4a65fa9f077ead01
> > > with KASAN enabled
> > > compiler: gcc (GCC) 12.2.0
> > > 
> > > TITLE: WARNING in vfs_getxattr_alloc------------[ cut here ]------------
> > 
> > Very likely a bug in 9p. Report it on that mailing list. It seems that
> > p9_client_xattrwalk() returns questionable values for attr_size:
> > 748310584784038656
> > That's obviously a rather problematic allocation request.
> 
> That's whatever the server requested -- in 9p we don't have the data at
> allocation time (xattrwalk returns the size, then we "read" it out in a
> subsequent request), so we cannot double-check that the size makes sense
> based on a payload at this point.
> 
> We could obviously add a max (the current max of SSIZE_MAX is "a bit"
> too generous), but I honestly have no idea what'd make sense for this
> without breaking some weird usecase somewhere (given the content is
> "read" we're not limited by the size of a single message; I've seen
> someone return large content as synthetic xattrs so it's hard to put an
> actual number for me).
> If the linux VFS has a max hard-wired somewhere plase tell me and I'll
> be glad to change the max.

Surprisingly we have a max limit that exists in a way because the whole
xattr uapi is somewhat broken. So best to limit it at XATTR_SIZE_MAX.
See fs/xattr.c for how it's used.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ