Commit 550f7ca9 authored Nov 18, 2024 by Max Kellermann Committed by Ilya Dryomov Dec 16, 2024

ceph: give up on paths longer than PATH_MAX



If the full path to be built by ceph_mdsc_build_path() happens to be
longer than PATH_MAX, then this function will enter an endless (retry)
loop, effectively blocking the whole task.  Most of the machine
becomes unusable, making this a very simple and effective DoS
vulnerability.

I cannot imagine why this retry was ever implemented, but it seems
rather useless and harmful to me.  Let's remove it and fail with
ENAMETOOLONG instead.

Cc: stable@vger.kernel.org
Reported-by: Dario Weißer <dario@cure53.de>
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Alex Markuze <amarkuze@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

parent d6fd6f82

fs/ceph/mds_client.c

+4 −5

Original line number	Diff line number	Diff line
		@@ -2800,12 +2800,11 @@ char ceph_mdsc_build_path(struct ceph_mds_client mdsc, struct dentry *dentry,

		if (pos < 0) {
		/*
		* A rename didn't occur, but somehow we didn't end up where
		* we thought we would. Throw a warning and try again.
		* The path is longer than PATH_MAX and this function
		* cannot ever succeed. Creating paths that long is
		* possible with Ceph, but Linux cannot use them.
		*/
		pr_warn_client(cl, "did not end path lookup where expected (pos = %d)\n",
		pos);
		goto retry;
		return ERR_PTR(-ENAMETOOLONG);
		}

		*pbase = base;