From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qv1-f49.google.com (mail-qv1-f49.google.com [209.85.219.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 99546383C8D for ; Tue, 7 Jul 2026 18:06:11 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783447572; cv=none; b=J+eC4ykWHdpTjgHLrsRqjTjwCYYmwDHcsIICIK07K264OII4Vdn2DKThI8loK15t8twQw7SXnbPrYWkifLyqk/S/BEUSoHabhmTul65Ry9b9NZJCs/h48I+RUHzyCWhKcB531VjPvPVLde/+Pvz+JrXiWfN6WPRG39y52j/jfvY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783447572; c=relaxed/simple; bh=NWTLOshyXHMRH/Dncw7yrLlSn+VlqS7kcEkHLHotwpI=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=tKcmpbEc5Wnu1So7JeDzee5Pf1GOmf8V7sDQ6RDC3V/TmPuCt/q5mLKuQlNEX0oK6occauMwIPToxs4a7WlqpllCb6v5WzbEs9S2YCD3puNeX4Y+grKhXAgSwdovJF6O0qdmh3m2MTLn5UUyDmTZLAwhLWzSm738u4P4/gpFEIg= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Gg/g1DJq; arc=none smtp.client-ip=209.85.219.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Gg/g1DJq" Received: by mail-qv1-f49.google.com with SMTP id 6a1803df08f44-8ee6912d86dso30314446d6.1 for ; Tue, 07 Jul 2026 11:06:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783447570; x=1784052370; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to:content-type; bh=wUirQAAjAeaROJy7goki5PouYfU7+UV7BzjTDszmjJc=; b=Gg/g1DJqqMB7LKpEPbWaNxkI27h7SDtVxC+zrqiuDEk2lMaZBTkehl7k1OrM1VwlMV Eyb7wxoyv2rrYNekutOcLsO0VSbxwsgQGwEh2/DJ+P5NbfoP22gfkqSY9PV0S9oM+BC7 LUT1g5TTatZ5MKGFXe8CJVup0y4vwQ9J6MoYrapUTWSR2MAQ4Cg6t9ZPo+4f1EY9zlKv HR2GydS7T28t1KK7RE4O4GX2b8UjfZtFqadcV2wHUDnIwNOQR7IfO7BBoeTfdVAx9ND4 P8YtI6jTln5lz18jXPc23SsUF0axG+OVc19Ranl28WKaHDuoRu3ldaoDXWNnqZ9m7zLu 2Q0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783447570; x=1784052370; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to:content-type; bh=wUirQAAjAeaROJy7goki5PouYfU7+UV7BzjTDszmjJc=; b=JY+xm92No+hM5jG3+NoAcFhH8sZvXRJE8VUn/yNadmD60CDuAA8GNpDjdALErLLPuD rQeHk0TKFfs9AAGN7UncodspxEes59bOwtScJ+mv4upENI8IZiTR8E3VC/aFZHZFnml+ Pu1s2dUcD6DC2AAcmkdd9HYLXXYQfOfaiMVYqA5xdih7yFSngjSbUolFNx1ku4Y8CsrE 82zpgmb+DKWaVDksnI3d+2THr/pINt0m3xT/YbztDmX1+8mOWzjRC5pykYrQUGqZHR1O 8THZL7shgtGWX65n3m/JQVxdZ5qGs+7og2zcc9M/q6DyOjeqkJiC3T4b/XzNLEm3qaoj yE5Q== X-Forwarded-Encrypted: i=1; AHgh+Ro7R9EmDCaeLLCIv22cROt9vNIcuNrXAWH3iM5QIjEl1cr7L/p9DLqsu//bcSx0+ql5QAjxnYCSkr12wkg=@vger.kernel.org X-Gm-Message-State: AOJu0YwBi/VhIhqqtbProzSM23eADQZcyW0M4QbpYM8pStFnxwbv/7ff sBWPcka77fYpXWKmwVWN0MJa7fHsFUM1RbDwVXK1ENcjc9O7pbVhfp9B X-Gm-Gg: AfdE7ckF7Gi5gMFOK7aiDza4s+SJX5qgEyO0h2EBaiTGsxgvAB2LNNFc51xamtAr3rt AyXJJYv7EMsEEzu1nqbEv3TXDtkgygrQSlIoLdRmqkRkPiC3RT8xP1e4/05nJlQDpM++T1Jd4QD F88N8y0HazPAcOxRhvPIiacKyPXakla4+9I9q8uv5wq67zkYQ+LW4pmduyDSiaBUZsKPJQHeQqE ijneecf5FXpJ/Wocu6D9qZReFe+dWRuiwccl5l3p2jUOkVzD65rOYKWyp2IfZm6m7hJObddBsFv FtuphWm5jIPUS8cps6V0H3fYbIu7ig9QJYTTqvc7WdFCOovL5+rYsF1a+1+9Sj/C51vbDhDXEMC vSbaXNSl28hThDCCzH8DCwUfOJBgfFKGh7heOXW0oiklcASHhrz2pJLvk4TESzbIZSwG7Vrqcj5 zhrZQfUeyT0DT036Jfp6XS8idIZ30hq7eAS7GybiLnH2eXoIhCAfEhakH7QKllk0Re01KGlSkGv Am8EugFeh/7WWPdsmbg/5mxc/s53e4pmKRhcbePAcI= X-Received: by 2002:ad4:5c4d:0:b0:8ef:a4d5:1523 with SMTP id 6a1803df08f44-8fcb54d30damr80070956d6.42.1783447570376; Tue, 07 Jul 2026 11:06:10 -0700 (PDT) Received: from server0.tail6e7dd.ts.net (c-68-48-65-54.hsd1.mi.comcast.net. [68.48.65.54]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-8f471de87e3sm166404376d6.35.2026.07.07.11.06.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 07 Jul 2026 11:06:09 -0700 (PDT) From: Michael Bommarito To: Ilya Dryomov , Alex Markuze , Viacheslav Dubeyko Cc: ceph-devel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH v3 0/4] ceph: bound untrusted MDS and monitor reply decoders Date: Tue, 7 Jul 2026 14:05:56 -0400 Message-ID: X-Mailer: git-send-email 2.53.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7bit This is v3 of the CephFS decoder-bound series. The four bugs are independent; each bounds an untrusted length or count that a malicious or compromised MDS or monitor controls on the wire. 1/4 rejects a final xattr value length that runs past the xattr blob. 2/4 bounds MDSCapAuth path and fs_name copies in handle_session(). 3/4 bounds the mdsmap export_targets array for info_v 2/3. 4/4 caps delegated-inode parsing by per-session population and by one reply's aggregate interval length. Patches 1/4 and 2/4 carry Viacheslav Dubeyko's Reviewed-by from v1. Patch 3/4 carries his Reviewed-by from v2. Patch 4/4 is reworked to address his v2 review, described below. Changes in v3: - Rebased onto ceph/testing (base-commit fc67edb66b3c9 below); v2 no longer applied there. The series applies cleanly with git am on that base. Patches 1-3 are unchanged apart from the rebase. - Patch 4/4 reworked per review of v2: - The per-session count is now enforced in a single place, ceph_insert_deleg_ino(), using atomic_add_unless() rather than an increment-then-decrement pattern. Since that helper is the only caller that grows the count, the per-session population can never exceed CEPH_MAX_DELEG_INOS, so the separate per-session pre-check in the decode loop is dropped. - The per-reply aggregate check is kept. It is the bound that stops one reply from spinning the insert loop on duplicate ranges without growing the per-session count, which the per-insert cap alone does not catch. - CEPH_MAX_DELEG_INOS is cast to u64 where it is compared against and subtracted from the u64 interval length. - The redundant warning in the decode loop is removed; ceph_insert_deleg_ino() already logs when the cap is reached, and the warnings now report the counts involved. Michael Bommarito (4): ceph: bound xattr value length in __build_xattrs() ceph: bound MDSCapAuth path and fs_name decode in handle_session() ceph: bound num_export_targets array for mds info v2/v3 ceph: cap delegated inode count in ceph_parse_deleg_inos() fs/ceph/mds_client.c | 67 ++++++++++++++++++++++++++++++++++++++------ fs/ceph/mds_client.h | 1 + fs/ceph/mdsmap.c | 7 ++++- fs/ceph/super.h | 9 ++++++ fs/ceph/xattr.c | 1 + 5 files changed, 76 insertions(+), 9 deletions(-) base-commit: fc67edb66b3c9924c4e0bb366a92b32ea13c526a -- 2.53.0