[PATCH v2 0/4] ceph: bound untrusted MDS and monitor reply decoders
From: Michael Bommarito
Date: Sat Jun 06 2026 - 15:01:08 EST
This is v2 of the CephFS decoder-bound series. The first two patches are
unchanged code-wise and now carry Slava's Reviewed-by. Patches 3 and 4
address the review feedback on overflow-safe sizing and aggregate delegated
inode bounds.
The four bugs are still independent:
1/4 rejects a final xattr value length that runs past the xattr blob.
2/4 bounds MDSCapAuth path and fs_name copies in handle_session().
3/4 bounds the mdsmap export_targets array for info_v 2/3.
4/4 bounds delegated-inode parsing by session population and by one
reply's aggregate interval length.
Changes in v2:
- Add Reviewed-by: Viacheslav Dubeyko to patches 1 and 2.
- Patch 3 computes the export-targets byte count with size_mul() and
reuses the checked length for the cursor advance.
- Patch 4 replaces the per-interval cap with a per-session population
counter and a per-reply interval budget, so repeated replies and
duplicate ranges are bounded too. The cap stays a fixed client-side
constant because the kernel client never sees the userspace
mds_client_prealloc_inos option; it is sized as a generous multiple of
that option's documented default of 1000.
Michael Bommarito (4):
ceph: bound xattr value length in __build_xattrs()
ceph: bound MDSCapAuth path and fs_name decode in handle_session()
ceph: bound num_export_targets array for mds info v2/v3
ceph: cap delegated inode count in ceph_parse_deleg_inos()
fs/ceph/mds_client.c | 59 ++++++++++++++++++++++++++++++++++++++------
fs/ceph/mds_client.h | 1 +
fs/ceph/mdsmap.c | 7 +++++-
fs/ceph/super.h | 9 +++++++
fs/ceph/xattr.c | 1 +
5 files changed, 68 insertions(+), 9 deletions(-)
base-commit: f72c95f3a516d87483e225ae081a402a09fd0127
--
2.53.0