Christian Brauner wrote on Mon, Mar 04, 2024 at 12:50:12PM +0100: > > kernel: lastest linux 6.7.rc8 90d35da658da8cff0d4ecbb5113f5fac9d00eb72 > > kernel config: https://syzkaller.appspot.com/text?tag=KernelConfig&x=4a65fa9f077ead01 > > with KASAN enabled > > compiler: gcc (GCC) 12.2.0 > > > > TITLE: WARNING in vfs_getxattr_alloc------------[ cut here ]------------ > > Very likely a bug in 9p. Report it on that mailing list. It seems that > p9_client_xattrwalk() returns questionable values for attr_size: > 748310584784038656 > That's obviously a rather problematic allocation request. That's whatever the server requested -- in 9p we don't have the data at allocation time (xattrwalk returns the size, then we "read" it out in a subsequent request), so we cannot double-check that the size makes sense based on a payload at this point. We could obviously add a max (the current max of SSIZE_MAX is "a bit" too generous), but I honestly have no idea what'd make sense for this without breaking some weird usecase somewhere (given the content is "read" we're not limited by the size of a single message; I've seen someone return large content as synthetic xattrs so it's hard to put an actual number for me). If the linux VFS has a max hard-wired somewhere plase tell me and I'll be glad to change the max. Otherwise then as far as I'm concerned if a server returns a huge value they'll get allocation failures and that's about as bad as it'll get; a malicious server could probably do quite a bit of bad if they put their mind at it (perhaps a neverending directory listing or some other metadata trickery), I wouldn't advise anyone to mount a storage they don't trust. -- Dominique
