From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qt1-f172.google.com (mail-qt1-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 487E423507C for ; Thu, 4 Jun 2026 18:09:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.160.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780596551; cv=none; b=ZrVE4+iPyIONCGnsMH52+FGFacs7eH64kMUqAyYzz5z9aiDj84UhWfQbp2HfrTffJ4aJ6znCNb+iTFuvD/5gFUfO6w5Q2F54IIHt2X0rXkqyAi1IUKzNXRIdokmSMkzkia9Qls0YZhDz1uhVQJOVkSVdm0tpKA5xRpgcRdDqO7g= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780596551; c=relaxed/simple; bh=i0ujoMB3NYlsNFPdP9lq7RAdOjAOpDttICbVjZBocZM=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=mmyZeBzpWo4kpbXTQ4z2NxTth60bbQ0/kSkEjCSfua5R101ZKT1iR1zJDvAlieE6+GNpDpAl1/juAkXdEV8m2KG9omizsqHLJtErT9OVRAg7r72AVA9JznwodiQOJEorR1qgDJzvsl7AyRVRGgVeaTKCxY1h4so7+4mIv0PZ7g0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=NsYFv2Px; arc=none smtp.client-ip=209.85.160.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="NsYFv2Px" Received: by mail-qt1-f172.google.com with SMTP id d75a77b69052e-5177945a22eso6500251cf.1 for ; Thu, 04 Jun 2026 11:09:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780596549; x=1781201349; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=xYChz5dDOhgIdKBmtje4M1+cRrICz03eZkA2AVEvq/0=; b=NsYFv2Px1kAoV9ML90XZPwqfYwgiarGwouElc8OeyCjAjvkOdw6Tju0OqOfut74+RY FhOOz6wV31fH7sbaERdwcsNyLC89JX+oEOoXOPAZCXF4uiuMBQGAzgzV+G9MBRtBudUW HMG2jHnbCkaeZoqJXQP2VVnM/QEdhO3IQ8CKffHw3L8OeMtcMUyf4C5KN/6TInpdqQD5 41O+EUoim1TtcRVWMZ/q+8yVBVw+/6MCKBX+SVTXAqIXT5lfg0HAslYdlsxNbJNPTpr0 VjyFFg0y0SeAhzMWw4t5OJKAnVEMT0PQDKw+ASbxKrvUM5QuljSFHHLcmeGgS1JNg4x1 vukQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780596549; x=1781201349; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=xYChz5dDOhgIdKBmtje4M1+cRrICz03eZkA2AVEvq/0=; b=W3YFPNTg+3jm0ZHZHm6ONCvev7aFouvxxSI18sdqVSVGPRJEvASFyEaS4AHXcCN5UJ AQNK2fsbK5hgZMlmpPSOvMpmN5TRFY6PiAdlE4d9aL3fOpTDrcNOaZs5yeisucOqcI0F cO5WM9tvoMh++qW+GCyzcBN6wf4O+AkRS5iqTNNEvu3ySf8mOkLElTYVpHRIq6MHOBif pXvLNs6QBUBK3RHRdNFtU7ASlOp6sKRWUsTvLnHd3fP7ABqmoKC+V+c8BrU5vWzhGVyB 6GA9SvV6/m+5kCl5NT1au3S1hyT7PAxk9UFtVVowoAhWHWCHNpDvcGoOHhrtsnTVCvky 1fgg== X-Forwarded-Encrypted: i=1; AFNElJ+NDJtTiViMc+oU77gmfewRj4S+oGmDkYKcDvooOOI1eAMTzmatSSlTHJRT7vARYCt5DaI1OfByZUs7k5I=@vger.kernel.org X-Gm-Message-State: AOJu0YxlUn+xnVJpjVc+cw1PvDe/6EfSaP6fvpsE6IvGRta1L571yxIF i+SWaUaFfMhKr3PQ7R8EfcpFBuqJ4uu9g/2alx5aN59qoMlb7y0/Y4mK X-Gm-Gg: Acq92OGadaJVDYsTxb2CAbmtwfI7zTgDLrZy41bcOzsORda5ss93gqJ0ek9i6C92SbR 1LGO6SJYtP1ntvi6PNndGGP8QiCX4UpQscEDjPH7a1qfx1URpLPqrlba13M5/p4KZbHgvEm8KHf CNtCRawJiId/oyS5LlrKm9pV+llmrW3aRvFVZF6QJHeTOtEGGRV2OsqxfBk2GiQE0Z18DHLWFbo omjvNymg28bnv8k/mc8ihf33F/VUlOT+wSTKEJmB9bgLRbAaP3ZiUvPNngEOoqLS3rHdLLm+1RT 1Y/uWkdiVakCzqZufoO+b7SFSy4nXs97w+IBgXOULBeCl2gCNtmr6FCZDyKjVK3X2xHS9yz7Pk2 guwTRttYP2/3P9rKZt89n3c0/KrVuSONk35LIns8fU5twC03FL5tfs6stnjXsanIk+TJM2hm62b nNy3lVMf1OgNlTjiC0RZMj7mRTiq7yd+bUj6iHHfbcFhBnV76PI7T4ET4cgtYX2l7LZWLWocqPC XlzrhIY54mgJmRRl5KAFe8S153Y2RU= X-Received: by 2002:a05:622a:4e89:b0:517:8bc0:9b5e with SMTP id d75a77b69052e-5178bc09ee5mr52725101cf.47.1780596548942; Thu, 04 Jun 2026 11:09:08 -0700 (PDT) Received: from server0 (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-51775dbd2c9sm59020961cf.23.2026.06.04.11.09.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 04 Jun 2026 11:09:07 -0700 (PDT) From: Michael Bommarito To: Ilya Dryomov , Alex Markuze , Viacheslav Dubeyko Cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH 0/4] ceph: bound untrusted MDS and monitor reply decoders Date: Thu, 4 Jun 2026 14:08:56 -0400 Message-ID: X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit The CephFS client decodes several variable-length fields from MDS and monitor replies without checking the declared length against the bytes actually present in the message. Each of the four sites below trusts a 32-bit or 64-bit length from the wire and then copies, advances over, or loops on it. A malicious or compromised server (or, for the monitor map, an on-path attacker on an unsigned messenger session) can drive an out-of-bounds read or an unbounded loop in the client kernel. The fixes add the missing ceph_decode_need()/ceph_decode_copy_safe() bound or an explicit count cap, matching the idioms already used elsewhere in the same decoders. Patch 1 is the most serious: the over-read value is returned to user space through getxattr(2), so it is a kernel-heap information leak (AC:H, requires a user to read the attribute). Patches 2-4 are out-of-bounds reads / an unbounded loop that crash or wedge the client (denial of service, no information disclosure). For patch 3 the supplier is the monitor, a more privileged cluster role than the MDS; it is included as a hardening fix for the info_v 2/3 compatibility path. All four were reproduced on x86_64 QEMU with CONFIG_KASAN=y by calling the real decoder via an in-tree debugfs harness, and re-run with the patch applied: patch 1: stock - __build_xattrs() stores val_len=304 from a 256-byte blob, then the getxattr memcpy is a slab-out-of-bounds read of 304 bytes; patched - decode returns -EIO, no value stored. patch 2: stock - slab-out-of-bounds read of 512 bytes in handle_session(); patched - the bound rejects the record. patch 3: stock - slab-out-of-bounds read in ceph_mdsmap_decode(); patched - decode returns -EINVAL. patch 4: stock - ceph_parse_deleg_inos() runs 1048640 iterations on a crafted len; patched - returns -EIO before the loop. Well-formed replies still decode in every case (valid xattr value, in-range delegation, in-bounds export-target array). These bugs were found with AI assistance and are reported on the public list accordingly, especially since they are mostly about a malicious trusted server. Michael Bommarito (4): ceph: bound xattr value length in __build_xattrs() ceph: bound MDSCapAuth path and fs_name decode in handle_session() ceph: bound num_export_targets array for mds info v2/v3 ceph: cap delegated inode count in ceph_parse_deleg_inos() fs/ceph/mds_client.c | 22 ++++++++++++++++++++-- fs/ceph/mdsmap.c | 2 ++ fs/ceph/super.h | 9 +++++++++ fs/ceph/xattr.c | 1 + 4 files changed, 32 insertions(+), 2 deletions(-) base-commit: f72c95f3a516d87483e225ae081a402a09fd0127 -- 2.53.0