From: Leo Stone <leocstone@gmail.com>
To: syzbot+03fb58296859d8dbab4d@syzkaller.appspotmail.com
Cc: asmadeus@codewreck.org, ericvh@gmail.com, ericvh@kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux_oss@crudebyte.com, lucho@ionkov.net,
syzkaller-bugs@googlegroups.com, torvalds@linux-foundation.org,
v9fs-developer@lists.sourceforge.net, v9fs@lists.linux.dev,
viro@zeniv.linux.org.uk, Leo Stone <leocstone@gmail.com>
Subject: [PATCH] 9p: Limit xattr size to XATTR_SIZE_MAX
Date: Wed, 11 Dec 2024 16:20:22 -0800 [thread overview]
Message-ID: <20241212002022.209049-1-leocstone@gmail.com> (raw)
In-Reply-To: <675963eb.050a0220.17f54a.0038.GAE@google.com>
syzbot triggered a warning in kmalloc by trying to mount a v9fs
filesystem from a pipe, after specifying an ACL size of 9TB for the
root inode in the data written to the pipe.
An xattr larger than XATTR_SIZE_MAX is considered invalid by the VFS
layer anyway. See do_getxattr():
> } else if (error == -ERANGE && ctx->size >= XATTR_SIZE_MAX) {
> /* The file system tried to returned a value bigger
> than XATTR_SIZE_MAX bytes. Not possible. */
> error = -E2BIG;
> }
Reported-by: syzbot+03fb58296859d8dbab4d@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=03fb58296859d8dbab4d
Fixes: ebf46264a004 ("fs/9p: Add support user. xattr")
Signed-off-by: Leo Stone <leocstone@gmail.com>
---
See: https://lore.kernel.org/all/675963eb.050a0220.17f54a.0038.GAE@google.com/T/
---
fs/9p/xattr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c
index 8604e3377ee7..97f60b73bf16 100644
--- a/fs/9p/xattr.c
+++ b/fs/9p/xattr.c
@@ -37,8 +37,8 @@ ssize_t v9fs_fid_xattr_get(struct p9_fid *fid, const char *name,
if (attr_size > buffer_size) {
if (buffer_size)
retval = -ERANGE;
- else if (attr_size > SSIZE_MAX)
- retval = -EOVERFLOW;
+ else if (attr_size > XATTR_SIZE_MAX)
+ retval = -E2BIG;
else /* request to get the attr_size */
retval = attr_size;
} else {
--
2.43.0
next prev parent reply other threads:[~2024-12-12 0:21 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-12-11 10:05 [syzbot] [v9fs?] WARNING in __alloc_frozen_pages_noprof syzbot
2024-12-11 20:02 ` Leo Stone
2024-12-11 20:28 ` [syzbot] [v9fs?] " syzbot
2024-12-11 21:04 ` Alloc cap limit for 9p xattrs (Was: WARNING in __alloc_frozen_pages_noprof) asmadeus
2024-12-11 21:32 ` Linus Torvalds
2024-12-11 22:55 ` Al Viro
2024-12-12 10:17 ` Christian Schoenebeck
2024-12-12 11:22 ` Christian Schoenebeck
2024-12-11 21:04 ` [syzbot] Re: [syzbot] [v9fs?] WARNING in __alloc_frozen_pages_noprof syzbot
2024-12-12 0:20 ` Leo Stone [this message]
2026-05-18 16:36 ` Forwarded: Re: [PATCH RFC] drm/lease: Fix warning on large user-controlled allocations syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20241212002022.209049-1-leocstone@gmail.com \
--to=leocstone@gmail.com \
--cc=asmadeus@codewreck.org \
--cc=ericvh@gmail.com \
--cc=ericvh@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=syzbot+03fb58296859d8dbab4d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=torvalds@linux-foundation.org \
--cc=v9fs-developer@lists.sourceforge.net \
--cc=v9fs@lists.linux.dev \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.