[PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Dominique Martinet]

We probably shouldn't ever get an xattr bigger than that, and the current check
of SSIZE_MAX is a bit too large.

Cc: Christian Brauner <brauner@kernel.org>
Cc: xingwei lee <xrivendell7@gmail.com>
Cc: sam sun <samsun1006219@gmail.com
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
---
 fs/9p/xattr.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/9p/xattr.c b/fs/9p/xattr.c
index 8604e3377ee7..97f60b73bf16 100644
--- a/fs/9p/xattr.c
+++ b/fs/9p/xattr.c
@@ -37,8 +37,8 @@ ssize_t v9fs_fid_xattr_get(struct p9_fid *fid, const char *name,
 	if (attr_size > buffer_size) {
 		if (buffer_size)
 			retval = -ERANGE;
-		else if (attr_size > SSIZE_MAX)
-			retval = -EOVERFLOW;
+		else if (attr_size > XATTR_SIZE_MAX)
+			retval = -E2BIG;
 		else /* request to get the attr_size */
 			retval = attr_size;
 	} else {

---
base-commit: be3193e58ec210b2a72fb1134c2a0695088a911d
change-id: 20240304-xattr_maxsize-edf98c1a8c19

Best regards,
-- 
Dominique Martinet | Asmadeus

Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Christian Schoenebeck]

On Monday, March 4, 2024 1:42:43 PM CET Dominique Martinet wrote:
> We probably shouldn't ever get an xattr bigger than that, and the current check
> of SSIZE_MAX is a bit too large.

Maybe, OTOH e.g. ACLs (dynamic size) are implemented by storing them as xattrs
on 9p server as well, and this change somewhat expects server to run Linux as
well. So maybe s/XATTR_SIZE_MAX/KMALLOC_MAX_SIZE/ might be more appropriate,
considering that this patch is about fixing a potential kmalloc() warning?

Worth to mention in the commit log BTW what the issue was.

/Christian

Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Christian Brauner]

On Mon, Mar 04, 2024 at 02:35:07PM +0100, Christian Schoenebeck wrote:
> On Monday, March 4, 2024 1:42:43 PM CET Dominique Martinet wrote:
> > We probably shouldn't ever get an xattr bigger than that, and the current check
> > of SSIZE_MAX is a bit too large.
> 
> Maybe, OTOH e.g. ACLs (dynamic size) are implemented by storing them as xattrs
> on 9p server as well, and this change somewhat expects server to run Linux as
> well. So maybe s/XATTR_SIZE_MAX/KMALLOC_MAX_SIZE/ might be more appropriate,
> considering that this patch is about fixing a potential kmalloc() warning?
> 
> Worth to mention in the commit log BTW what the issue was.
> 
> /Christian

So the error is somewhat specific to filesystem capabilities which also
live in the xattr apis but Seth is working to get rid of them in there.

They currently use a special api vfs_getxattr_alloc() which is an
in-kernel api that does a racy query-size+allocate-buffer+retrieve-data
dance.

That api is used for fscaps, security labels, and other xattrs. And that
api doesn't do any size checks which probably should also be fixed now
that I write this.

@Seth?

Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Seth Forshee]

On Mon, Mar 04, 2024 at 03:19:58PM +0100, Christian Brauner wrote:
> On Mon, Mar 04, 2024 at 02:35:07PM +0100, Christian Schoenebeck wrote:
> > On Monday, March 4, 2024 1:42:43 PM CET Dominique Martinet wrote:
> > > We probably shouldn't ever get an xattr bigger than that, and the current check
> > > of SSIZE_MAX is a bit too large.
> > 
> > Maybe, OTOH e.g. ACLs (dynamic size) are implemented by storing them as xattrs
> > on 9p server as well, and this change somewhat expects server to run Linux as
> > well. So maybe s/XATTR_SIZE_MAX/KMALLOC_MAX_SIZE/ might be more appropriate,
> > considering that this patch is about fixing a potential kmalloc() warning?
> > 
> > Worth to mention in the commit log BTW what the issue was.
> > 
> > /Christian
> 
> So the error is somewhat specific to filesystem capabilities which also
> live in the xattr apis but Seth is working to get rid of them in there.
> 
> They currently use a special api vfs_getxattr_alloc() which is an
> in-kernel api that does a racy query-size+allocate-buffer+retrieve-data
> dance.

Yes, the patches I've sent does use vfs_getxattr_alloc() for fscaps
anymore.

> That api is used for fscaps, security labels, and other xattrs. And that
> api doesn't do any size checks which probably should also be fixed now
> that I write this.
> 
> @Seth?

I agree. I don't see any reason that vfs_getxattr_alloc() shouldn't just
bail out with an error if the size of the xattr is >= XATTR_SIZE_MAX.

Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Seth Forshee]

On Mon, Mar 04, 2024 at 08:35:46AM -0600, Seth Forshee wrote:
> On Mon, Mar 04, 2024 at 03:19:58PM +0100, Christian Brauner wrote:
> > On Mon, Mar 04, 2024 at 02:35:07PM +0100, Christian Schoenebeck wrote:
> > > On Monday, March 4, 2024 1:42:43 PM CET Dominique Martinet wrote:
> > > > We probably shouldn't ever get an xattr bigger than that, and the current check
> > > > of SSIZE_MAX is a bit too large.
> > > 
> > > Maybe, OTOH e.g. ACLs (dynamic size) are implemented by storing them as xattrs
> > > on 9p server as well, and this change somewhat expects server to run Linux as
> > > well. So maybe s/XATTR_SIZE_MAX/KMALLOC_MAX_SIZE/ might be more appropriate,
> > > considering that this patch is about fixing a potential kmalloc() warning?
> > > 
> > > Worth to mention in the commit log BTW what the issue was.
> > > 
> > > /Christian
> > 
> > So the error is somewhat specific to filesystem capabilities which also
> > live in the xattr apis but Seth is working to get rid of them in there.
> > 
> > They currently use a special api vfs_getxattr_alloc() which is an
> > in-kernel api that does a racy query-size+allocate-buffer+retrieve-data
> > dance.
> 
> Yes, the patches I've sent does use vfs_getxattr_alloc() for fscaps
> anymore.

Sorry, typo above. My patches do _not_ use vfs_getxattr_alloc() for
fscaps anymore.

> 
> > That api is used for fscaps, security labels, and other xattrs. And that
> > api doesn't do any size checks which probably should also be fixed now
> > that I write this.
> > 
> > @Seth?
> 
> I agree. I don't see any reason that vfs_getxattr_alloc() shouldn't just
> bail out with an error if the size of the xattr is >= XATTR_SIZE_MAX.

Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Fedor Pchelkin]

Hi Dominique and Christian,

the issue is still present in upstream kernel [1].

Considering the remark from Christian that limiting the allocation to
XATTR_SIZE_MAX seems too Linux-specific, maybe just fail silently with
__GFP_NOWARN flag passed to the allocator and return ENOMEM? I submitted
the patch [2] sometime ago which looks still applicable to the mainline
kernel. It was superseded with current discussion.

[1]: https://syzkaller.appspot.com/bug?extid=a83dc51a78f0f4cf20da
[2]: https://lore.kernel.org/lkml/20240202121319.21743-1-pchelkin@ispras.ru/

Re: [PATCH] 9p: cap xattr max size to XATTR_SIZE_MAX

[Dominique Martinet]

Fedor Pchelkin wrote on Sun, Sep 01, 2024 at 10:16:55AM +0300:
> the issue is still present in upstream kernel [1].

Right, I didn't register the end of discussion, thanks for the reminder

> Considering the remark from Christian that limiting the allocation to
> XATTR_SIZE_MAX seems too Linux-specific, maybe just fail silently with
> __GFP_NOWARN flag passed to the allocator and return ENOMEM? I submitted
> the patch [2] sometime ago which looks still applicable to the mainline
> kernel. It was superseded with current discussion.

Hmm, at high level, I don't really see the problem of being
linux-specific here - we're writing a linux client.
Something larger might work in the very specific case of the acl call
here, but normal userspace getxattr will be truncated to XATTR_SIZE_MAX
anyway (in do_getxattr), and returning a size larger than that will
yield odd behavior for userspace: calling getxattr with a zero size will
return a size larger than XATTR_SIZE_MAX, then trying to call getxattr
with the returned size will just fail as the buffer is silently
truncated to a shorter size without any way to work around that; it
sounds more coherent to me to just say we can't do it in the first
place.

Anyway, I guess a malicious server has an infinite number of way to
cause nuisance to our clients here so this is the least of our worry,
and not giving a warning is better than giving one, so if we're not
doing anything else adding NOWARN is probably for the best but I'm
really not sure I agree there...

I'm getting less involved with linux as real life commitments increase,
so I'll just defer to whatever eminent folks think about here --
Christian (Brauner), please take your pick of either of these (or
anything else) and I'll apply it:
(just adding nowarn to the acl path that warned)
https://lore.kernel.org/lkml/20240202121319.21743-1-pchelkin@ispras.ru/
or
(limit to XATTR_SIZE_MAX in 9p's xattr_handler->get() op)
https://lore.kernel.org/all/20240304-xattr_maxsize-v1-1-322357ec6bdf@codewreck.org/



(and I see vfs_getxattr_alloc() hasn't been updated to error on
size > XATTR_SIZE_MAX either, but we don't use it anyway)

Thanks,
-- 
Dominique Martinet | Asmadeus