Skip to content

sentry/fuse: validate NodeID in LOOKUP responses#13525

Open
TristanInSec wants to merge 1 commit into
google:masterfrom
TristanInSec:fix-fuse-lookup-nodeid-validation
Open

sentry/fuse: validate NodeID in LOOKUP responses#13525
TristanInSec wants to merge 1 commit into
google:masterfrom
TristanInSec:fix-fuse-lookup-nodeid-validation

Conversation

@TristanInSec

Copy link
Copy Markdown
Contributor

The NodeID validation (reject 0 and FUSE_ROOT_ID) in newEntry was gated behind opcode != linux.FUSE_LOOKUP, so LOOKUP responses from the FUSE daemon bypassed all NodeID checks. A FUSE daemon could return NodeID=0 (which means "no such entry" in the FUSE protocol) and gVisor would create a real inode with that ID, or return FUSE_ROOT_ID to alias the root inode.

This splits the validation so that NodeID checks apply to all response types. For LOOKUP with NodeID=0, returns ENOENT to match Linux fuse_lookup_name() behavior for negative lookups. For FUSE_ROOT_ID or NodeID=0 on non-LOOKUP opcodes, returns EIO. File type validation remains LOOKUP-exempt since LOOKUP doesn't pass an expected type.

The NodeID validation (reject 0 and FUSE_ROOT_ID) was gated behind opcode != FUSE_LOOKUP, so LOOKUP responses from the FUSE daemon bypassed all NodeID checks. A malicious daemon could return NodeID=0 (which means "no such entry" in the FUSE protocol) and gVisor would create a real inode with that ID, or return FUSE_ROOT_ID to create inode aliasing with the root.

Split the validation so that NodeID checks apply to all response types. For LOOKUP with NodeID=0, return ENOENT (matching Linux fuse_lookup_name behavior for negative lookups). For FUSE_ROOT_ID or NodeID=0 on non-LOOKUP opcodes, return EIO. File type validation remains LOOKUP-exempt since LOOKUP doesn't pass an expected type.
copybara-service Bot pushed a commit that referenced this pull request Jul 7, 2026
The NodeID validation (reject 0 and FUSE_ROOT_ID) in newEntry was gated behind `opcode != linux.FUSE_LOOKUP`, so LOOKUP responses from the FUSE daemon bypassed all NodeID checks. A FUSE daemon could return NodeID=0 (which means "no such entry" in the FUSE protocol) and gVisor would create a real inode with that ID, or return FUSE_ROOT_ID to alias the root inode.

This splits the validation so that NodeID checks apply to all response types. For LOOKUP with NodeID=0, returns ENOENT to match Linux `fuse_lookup_name()` behavior for negative lookups. For FUSE_ROOT_ID or NodeID=0 on non-LOOKUP opcodes, returns EIO. File type validation remains LOOKUP-exempt since LOOKUP doesn't pass an expected type.

FUTURE_COPYBARA_INTEGRATE_REVIEW=#13525 from TristanInSec:fix-fuse-lookup-nodeid-validation f4f4837
PiperOrigin-RevId: 944063075
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants