fix(mount): copy xattr value bytes to avoid FUSE buffer aliasing (#9278)

fix(mount): copy xattr value bytes to avoid FUSE buffer aliasing (#9275)

SetXAttr stored the caller-supplied `data` slice directly into
entry.Extended. That slice aliases go-fuse's per-request input buffer,
which is returned to a pool the moment the handler returns. When a file
is open during setxattr (the open-fh path defers persistence to flush),
the next FUSE request recycles the buffer and silently overwrites the
stored xattr bytes; flushMetadataToFiler then ships the corrupted bytes
to the filer. `cp -a` reproduces this because it issues a setxattr while
holding an open fh, then continues to issue follow-up FUSE ops that
reuse the same buffer.

The path-based setxattr (e.g. setfattr without an open fh) saves
synchronously inside the same handler, so the bytes were marshalled
before the buffer could be reused — that is why the source file in the
report looked fine and only the cp -a destination was garbage.

Defensively copy the bytes when storing them, and add a unit test that
mutates the caller buffer after SetXAttr returns to lock in the
invariant.

weed/mount/weedfs_xattr.go

@@ -131,7 +131,10 @@ func (wfs *WFS) SetXAttr(cancel <-chan struct{}, input *fuse.SetXAttrIn, attr st
 	case sys.XATTR_REPLACE:
 		fallthrough
 	default:
-		entry.Extended[XATTR_PREFIX+attr] = data
+		// data aliases the FUSE request's pooled input buffer, which is
+		// recycled once this handler returns. Copy before storing so a
+		// later request reusing the buffer cannot corrupt the value.
+		entry.Extended[XATTR_PREFIX+attr] = append([]byte(nil), data...)
 	}
 
 	if fh != nil {

weed/mount/weedfs_xattr_test.go

@@ -0,0 +1,62 @@
+//go:build !freebsd
+
+package mount
+
+import (
+	"testing"
+
+	"github.com/seaweedfs/go-fuse/v2/fuse"
+	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
+	"github.com/seaweedfs/seaweedfs/weed/util"
+)
+
+// TestSetXAttrCopiesValueBuffer reproduces the bug from
+// https://github.com/seaweedfs/seaweedfs/discussions/9275 where `cp -a`
+// of a file with an extended attribute leaves the destination with a
+// corrupted value. The root cause is that go-fuse hands SetXAttr a
+// `data` slice that aliases the per-request input buffer; when the
+// buffer is returned to the pool and reused for another FUSE request,
+// any reference still held by entry.Extended sees garbage.
+//
+// The bug only manifested when the file was open during setxattr (the
+// open-fh path defers persistence to flush). We simulate that by
+// mutating the caller-supplied buffer after SetXAttr returns.
+func TestSetXAttrCopiesValueBuffer(t *testing.T) {
+	wfs := newCopyRangeTestWFS()
+
+	path := util.FullPath("/aaa.txt")
+	inode := wfs.inodeToPath.Lookup(path, 1, false, false, 0, true)
+	fh := wfs.fhMap.AcquireFileHandle(wfs, inode, &filer_pb.Entry{
+		Name: "aaa.txt",
+		Attributes: &filer_pb.FuseAttributes{
+			FileMode: 0100644,
+			Inode:    inode,
+		},
+	})
+	fh.RememberPath(path)
+
+	// Caller buffer aliases a pool that the kernel will overwrite on
+	// the very next request. SetXAttr must defensively copy.
+	buf := []byte("test,in")
+	status := wfs.SetXAttr(make(chan struct{}), &fuse.SetXAttrIn{
+		InHeader: fuse.InHeader{NodeId: inode},
+	}, "user.xtags", buf)
+	if status != fuse.OK {
+		t.Fatalf("SetXAttr status = %v, want OK", status)
+	}
+
+	// Simulate the request buffer being recycled and reused for an
+	// unrelated payload.
+	for i := range buf {
+		buf[i] = 0xff
+	}
+
+	dest := make([]byte, 64)
+	n, status := wfs.GetXAttr(make(chan struct{}), &fuse.InHeader{NodeId: inode}, "user.xtags", dest)
+	if status != fuse.OK {
+		t.Fatalf("GetXAttr status = %v, want OK", status)
+	}
+	if got := string(dest[:n]); got != "test,in" {
+		t.Fatalf("GetXAttr value = %q, want %q (buffer aliasing leaked into stored xattr)", got, "test,in")
+	}
+}