Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1618676ybl; Wed, 28 Aug 2019 18:13:53 -0700 (PDT) X-Google-Smtp-Source: APXvYqxe5nYqhodOc8CAJjWTeDONsSd3zAMWX3YVbXRJy+bIiMwooUUHUudWqP4Sm3TdsIzh08pP X-Received: by 2002:a17:90a:b781:: with SMTP id m1mr6788514pjr.141.1567041233818; Wed, 28 Aug 2019 18:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1567041233; cv=none; d=google.com; s=arc-20160816; b=tUwqifTovfcjs3VF9Y4Us7bD8LsRvxWXM9QQJ12n9lMYtg/oHFqUYtaFfM9EnjFSel x01rf/ipnamqfLxsOvPo3vigRyOKmQ13JeSlPxfPjTFlvG4EMJxiUqwiSgYr3sn5bj5Z gKXUmdfbIYi6MoN/+XrCKP5MMXVUvvisXBffS0ICPTbzkwEPb2A1kHDaApMmNGnejHWO oESHUg1FQX/q5OvNymSJRb/hP8HYc815hvxYfFK9ozzlyMQUxS4wxriESy0GsXxiW3lG hSwHFYcVI3lucRsG2lyCty+++GdZoeDt2Y1+1lIfHzRu/TeODfUL4INm3n9+xMB7J9yE yLMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=UYj3cqC7l3FWSTGdZ+ONCE6j4ypWMGOLre0cYoTIi0Q=; b=SxbqAGW5PbQgY80s3//HBhQ9Uyl6NIh1zVYzhVuF1gypkdyt+zwfuYddC6OBhqxU4X UHY35UU3mg33IZLhebbtnXO29OUdW47IAFGvdkr3IBJdIbZ+XObm+88ylGUnXx8CRNbn TLuDZogB+KHXfjOYxKwnmgzbEtAolo4DizrmdTjxzamlif3jCJVKD/lZzZMyny3wG44n mwYrNo/vu535+xe0nhJLePUh/LyTx/G5t0MBVoP3KWIMartAagGypFLIgMN4lK448itB Fd8WREZsd2xZizkT9d6mDF3JU9ZWOceA9gthLLcmSLG8qAMHwjQYCfGsnT5wHuKKSd01 0JYA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c189si834291pfa.110.2019.08.28.18.13.25; Wed, 28 Aug 2019 18:13:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726384AbfH2BNS (ORCPT + 99 others); Wed, 28 Aug 2019 21:13:18 -0400 Received: from fieldses.org ([173.255.197.46]:49602 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726369AbfH2BNS (ORCPT ); Wed, 28 Aug 2019 21:13:18 -0400 Received: by fieldses.org (Postfix, from userid 2815) id 4ED8B1CB4; Wed, 28 Aug 2019 21:13:17 -0400 (EDT) Date: Wed, 28 Aug 2019 21:13:17 -0400 From: "bfields@fieldses.org" To: Trond Myklebust Cc: "linux-nfs@vger.kernel.org" , "aglo@umich.edu" , "louis.devandiere@atos.net" Subject: Re: Maximum Number of ACL on NFSv4 Message-ID: <20190829011317.GA1982@fieldses.org> References: <20190828180541.GC29148@fieldses.org> <20190828192931.GA30217@fieldses.org> <848b2abbedb5147e7a7e527111018fb04ec9ed7d.camel@hammerspace.com> <20190828210615.GA32010@fieldses.org> <20190828214431.GB32010@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190828214431.GB32010@fieldses.org> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Wed, Aug 28, 2019 at 05:44:31PM -0400, bfields@fieldses.org wrote: > On Wed, Aug 28, 2019 at 09:26:20PM +0000, Trond Myklebust wrote: > > On Wed, 2019-08-28 at 17:06 -0400, bfields@fieldses.org wrote: > > > On Wed, Aug 28, 2019 at 08:25:16PM +0000, Trond Myklebust wrote: > > > > Umm... Don't forget that NFSv4 ACL aces are typically much larger > > > > than > > > > POSIX ACL aces because the user/group names are encoded as strings, > > > > not > > > > binary uids and gids. > > > > > > > > IOW: The size of the RPC message is likely to be a lot larger than > > > > the > > > > resulting POSIX ACL... > > > > > > Actually this limit is post-idmapping, but, yes, before NFSv4->Posix > > > mapping (complicated in itself), which is why I talked about having > > > to > > > estimate. > > > > > > More interested to hear what you think about whether we need a limit > > > at > > > all. Do we have any ideas how big is too big a number to pass to > > > kmalloc? Or is it OK to just let anything through and let kmalloc > > > fail? > > > > > > > A NFSv4.x client is always required to respect the max request size as > > negotiated during CREATE_SESSION, so there is an upper limit right > > there. On Linux, the client will never try to negotiate a limit greater > > than 1MB. > > The limit's actually a sanity check on the number of ACEs. Since that's > what we're about to use in the kmalloc; in the ACL xdr decoding: > > if (nace > NFS4_ACL_MAX) > return nfserr_fbig; > > *acl = svcxdr_tmpalloc(argp, nfs4_acl_bytes(nace)); > > Maybe the simplest thing is only to reject an nace value that'd be > impossible given the size of the rpc call. Or I guess we could realloc as necessary as we actually read the entries. But the below seems simplest. It still provides some check on the ace count, but it'll ensure we're no longer imposing artificial limits not already required by the session or the filesystem. struct nfs4_ace is 20 bytes on my system so in practice this is limiting that kmalloc to about a megabyte. --b. diff --git a/fs/nfsd/acl.h b/fs/nfsd/acl.h index 4cd7c69a6cb9..ba14d2f4b64f 100644 --- a/fs/nfsd/acl.h +++ b/fs/nfsd/acl.h @@ -39,14 +39,6 @@ struct nfs4_acl; struct svc_fh; struct svc_rqst; -/* - * Maximum ACL we'll accept from a client; chosen (somewhat - * arbitrarily) so that kmalloc'ing the ACL shouldn't require a - * high-order allocation. This allows 204 ACEs on x86_64: - */ -#define NFS4_ACL_MAX ((PAGE_SIZE - sizeof(struct nfs4_acl)) \ - / sizeof(struct nfs4_ace)) - int nfs4_acl_bytes(int entries); int nfs4_acl_get_whotype(char *, u32); __be32 nfs4_acl_write_who(struct xdr_stream *xdr, int who); diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 565d2169902c..c1fc2641e3e7 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -204,6 +204,13 @@ static __be32 *read_buf(struct nfsd4_compoundargs *argp, u32 nbytes) return p; } +static unsigned int compoundargs_bytes_left(struct nfsd4_compoundargs *argp) +{ + unsigned int this = (char *)argp->end - (char *)argp->p; + + return this + argp->pagelen; +} + static int zero_clientid(clientid_t *clid) { return (clid->cl_boot == 0) && (clid->cl_id == 0); @@ -348,7 +355,12 @@ nfsd4_decode_fattr(struct nfsd4_compoundargs *argp, u32 *bmval, READ_BUF(4); len += 4; nace = be32_to_cpup(p++); - if (nace > NFS4_ACL_MAX) + if (nace > compoundargs_bytes_left(argp)/20) + /* + * Even with 4-byte names there wouldn't be + * space for that many aces; something fishy is + * going on: + */ return nfserr_fbig; *acl = svcxdr_tmpalloc(argp, nfs4_acl_bytes(nace));