From: Christian Schoenebeck <linux_oss@crudebyte.com>
To: Eric Van Hensbergen <ericvh@kernel.org>,
Latchesar Ionkov <lucho@ionkov.net>,
Dominique Martinet <asmadeus@codewreck.org>,
Michael Bommarito <michael.bommarito@gmail.com>
Cc: v9fs@lists.linux.dev, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] 9p/trans_virtio: reject mount tags that cannot fit a sysfs page
Date: Fri, 26 Jun 2026 14:34:31 +0200 [thread overview]
Message-ID: <14038397.uLZWGnKmhe@weasel> (raw)
In-Reply-To: <20260626111906.801890-1-michael.bommarito@gmail.com>
On Friday, 26 June 2026 13:19:06 CEST Michael Bommarito wrote:
> p9_virtio_probe() reads the mount tag length from the device's
> virtio_9p_config.tag_len, a 16-bit field, and accepts any value up to
> 65535 with no upper bound:
>
> virtio_cread(vdev, struct virtio_9p_config, tag_len, &tag_len);
> ...
> tag = kzalloc(tag_len + 1, GFP_KERNEL);
>
> The tag is later emitted through the world-readable
> /sys/.../mount_tag attribute by p9_mount_tag_show(), which copies the
> whole NUL-terminated tag into the single PAGE_SIZE buffer that the
> sysfs core provides:
>
> tag_len = strlen(chan->tag);
> memcpy(buf, chan->tag, tag_len + 1);
>
> A tag longer than the page therefore overruns the sysfs buffer. Under
> the confidential-computing threat model, where the guest does not
> trust the host, a malicious or compromised host can advertise a
> ~64 KiB tag; the first read of mount_tag (udev reads it at probe) then
> copies host-controlled content past the end of the 4 KiB page, a slab
> out-of-bounds write.
[...]
> net/9p/trans_virtio.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c
> index b0d0094ec8e2c..15568f40509c4 100644
> --- a/net/9p/trans_virtio.c
> +++ b/net/9p/trans_virtio.c
> @@ -633,6 +633,11 @@ static int p9_virtio_probe(struct virtio_device *vdev)
> err = -EINVAL;
> goto out_free_vq;
> }
> + if (tag_len >= PAGE_SIZE) {
That should be tag_len >= PAGE_SIZE - 1.
However you are still assuming and hard-coding an implementation specific
limit of seq_file. If that limit changes there, it breaks *silently* here
again.
I would rather handle this more aggressively by using NAME_MAX (255) as tag
length limit; safe and avoids complicated alternative solutions.
> + dev_err(&vdev->dev, "mount tag too long (%u bytes)\n", tag_len);
> + err = -EINVAL;
> + goto out_free_vq;
> + }
> tag = kzalloc(tag_len + 1, GFP_KERNEL);
> if (!tag) {
> err = -ENOMEM;
>
> base-commit: 4edcdefd4083ae04b1a5656f4be6cd83ae919ef4
next prev parent reply other threads:[~2026-06-26 13:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-10 11:42 [PATCH] 9p/trans_virtio: bound mount_tag show copy to one page Michael Bommarito
2026-06-10 15:46 ` Christian Schoenebeck
2026-06-10 16:00 ` Michael Bommarito
2026-06-26 11:19 ` [PATCH v3] 9p/trans_virtio: reject mount tags that cannot fit a sysfs page Michael Bommarito
2026-06-26 12:34 ` Christian Schoenebeck [this message]
2026-06-27 21:10 ` [PATCH v4] 9p/trans_virtio: reject mount tags longer than NAME_MAX at probe Michael Bommarito
2026-07-03 15:14 ` Christian Schoenebeck
2026-06-29 11:57 ` [PATCH v3] 9p/trans_virtio: reject mount tags that cannot fit a sysfs page kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=14038397.uLZWGnKmhe@weasel \
--to=linux_oss@crudebyte.com \
--cc=asmadeus@codewreck.org \
--cc=ericvh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=lucho@ionkov.net \
--cc=michael.bommarito@gmail.com \
--cc=v9fs@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox