| Message ID | 20240202121319.21743-1-pchelkin@ispras.ru (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | fs: 9p: avoid warning during xattr allocation | expand |
Fedor Pchelkin wrote on Fri, Feb 02, 2024 at 03:13:17PM +0300: > An invalid server may reply with an xattr size which still fits into > ssize_t but is large enough to cause splat during kzalloc(). Ah, sorry for not replying to this earlier.. and I had forgotten about it when something similar came up just now. I've submitted a patch to limit such allocations to 64k: https://lkml.kernel.org/r/20240304-xattr_maxsize-v1-1-322357ec6bdf@codewreck.org Would you agree this makes this patch obsolete? I'll go ahead and add the reported-by/closes you cited in this mail to my commit.
On 24/03/04 10:09PM, Dominique Martinet wrote: > Fedor Pchelkin wrote on Fri, Feb 02, 2024 at 03:13:17PM +0300: > > An invalid server may reply with an xattr size which still fits into > > ssize_t but is large enough to cause splat during kzalloc(). > > > Ah, sorry for not replying to this earlier.. and I had forgotten about > it when something similar came up just now. > > I've submitted a patch to limit such allocations to 64k: > https://lkml.kernel.org/r/20240304-xattr_maxsize-v1-1-322357ec6bdf@codewreck.org > > Would you agree this makes this patch obsolete? Yes, thanks! Checking against the VFS limits is more appropriate. > > I'll go ahead and add the reported-by/closes you cited in this mail to > my commit. Okay. -- Fedor
diff --git a/fs/9p/acl.c b/fs/9p/acl.c index eed551d8555f..e19a46192d2e 100644 --- a/fs/9p/acl.c +++ b/fs/9p/acl.c @@ -29,7 +29,7 @@ static struct posix_acl *v9fs_fid_get_acl(struct p9_fid *fid, const char *name) if (size == 0) return ERR_PTR(-ENODATA); - value = kzalloc(size, GFP_NOFS); + value = kzalloc(size, GFP_NOFS | __GFP_NOWARN); if (!value) return ERR_PTR(-ENOMEM);
An invalid server may reply with an xattr size which still fits into ssize_t but is large enough to cause splat during kzalloc(). Add __GFP_NOWARN flag for the allocation. It seems client side can't do much more about sanity checking here so it's better to return ENOMEM silently. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 85ff872d3f4a ("fs/9p: Implement POSIX ACL permission checking function") Reported-by: syzbot+56fdf7f6291d819b9b19@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/000000000000789bcd05c9aa3d5d@google.com/ Reported-by: syzbot+a83dc51a78f0f4cf20da@syzkaller.appspotmail.com Closes: https://lore.kernel.org/lkml/00000000000086a03405eec3a706@google.com/ Suggested-by: Pavel Skripkin <paskripkin@gmail.com> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> --- fs/9p/acl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)