lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240304-zeitschrift-tagung-6f2a28e781bc@brauner>
Date: Mon, 4 Mar 2024 15:19:58 +0100
From: Christian Brauner <brauner@...nel.org>
To: Christian Schoenebeck <linux_oss@...debyte.com>
Cc: Eric Van Hensbergen <ericvh@...nel.org>, 
	Latchesar Ionkov <lucho@...kov.net>, Dominique Martinet <asmadeus@...ewreck.org>, 
	v9fs@...ts.linux.dev, linux-kernel@...r.kernel.org, 
	xingwei lee <xrivendell7@...il.com>, sam sun <samsun1006219@...il.com>, 
	Seth Forshee <sforshee@...nel.org>
Subject: Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

On Mon, Mar 04, 2024 at 02:35:07PM +0100, Christian Schoenebeck wrote:
> On Monday, March 4, 2024 1:42:43 PM CET Dominique Martinet wrote:
> > We probably shouldn't ever get an xattr bigger than that, and the current check
> > of SSIZE_MAX is a bit too large.
> 
> Maybe, OTOH e.g. ACLs (dynamic size) are implemented by storing them as xattrs
> on 9p server as well, and this change somewhat expects server to run Linux as
> well. So maybe s/XATTR_SIZE_MAX/KMALLOC_MAX_SIZE/ might be more appropriate,
> considering that this patch is about fixing a potential kmalloc() warning?
> 
> Worth to mention in the commit log BTW what the issue was.
> 
> /Christian

So the error is somewhat specific to filesystem capabilities which also
live in the xattr apis but Seth is working to get rid of them in there.

They currently use a special api vfs_getxattr_alloc() which is an
in-kernel api that does a racy query-size+allocate-buffer+retrieve-data
dance.

That api is used for fscaps, security labels, and other xattrs. And that
api doesn't do any size checks which probably should also be fixed now
that I write this.

@Seth?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ