lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20070403173716.GW5967@schatzie.adilger.int>
Date:	Tue, 3 Apr 2007 11:37:16 -0600
From:	Andreas Dilger <adilger@...sterfs.com>
To:	Theodore Tso <tytso@....edu>
Cc:	Kalpak Shah <kalpak@...sterfs.com>,
	linux-ext4 <linux-ext4@...r.kernel.org>,
	Lustre-discuss <Lustre-discuss@...sterfs.com>
Subject: Re: [PATCH] Correction to check_filetype()

On Mar 31, 2007  10:39 -0400, Theodore Tso wrote:
> I'm going to let this one soak for a bit to make sure we don't pick up
> any fase positives or negatives in the hueristics.
> 
> @@ -133,11 +133,10 @@ int e2fsck_pass1_check_device_inode(ext2
> +	 * If the index flag is set, then this is a bogus
> +	 * device/fifo/socket
>  	 */
> -	if ((ext2fs_inode_data_blocks(fs, inode) != 0) ||
> -	    (inode->i_flags & EXT2_INDEX_FL))
> +	if (inode->i_flags & EXT2_INDEX_FL)
>  		return 0;

There were ancient versions of the kernel that left EXT2_INDEX_FL set
on all files, instead of just directories...  I'm not sure if those
were in actual released kernels, or just in patches.

> +static void check_is_really_dir(e2fsck_t ctx, struct problem_context *pctx,
> +				char *buf)
> +{
> +	if (ext2fs_read_dir_block(ctx->fs, inode->i_block[0], buf))
> +		return;

Do we call check_blocks() on this inode shortly thereafter?  If we do then
the overhead of reading the first block is offset by not reading it again
later.  Otherwise, this could slow things down.

> +	dirent = (struct ext2_dir_entry *) buf;
> +	if (((dirent->name_len & 0xFF) != 1) ||
> +	    (dirent->name[0] != '.') ||
> +	    (dirent->inode != pctx->ino) ||
> +	    (dirent->rec_len < 12) ||
> +	    (dirent->rec_len % 4) ||
> +	    (dirent->rec_len >= ctx->fs->blocksize - 12))
> +		return;
> +
> +	dirent = (struct ext2_dir_entry *) (buf + dirent->rec_len);
> +	if (((dirent->name_len & 0xFF) != 2) ||
> +	    (dirent->name[0] != '.') ||
> +	    (dirent->name[1] != '.') ||
> +	    (dirent->rec_len < 12) ||
> +	    (dirent->rec_len % 4))
> +		return;
> +
> +	if (fix_problem(ctx, PR_1_TREAT_AS_DIRECTORY, pctx)) {
> +		inode->i_mode = (inode->i_mode & 07777) | LINUX_S_IFDIR;
> +		e2fsck_write_inode_full(ctx, pctx->ino, inode, 
> +					EXT2_INODE_SIZE(ctx->fs->super), 
> +					"check_is_really_dir");
>  	}

The one worry I have here (though I don't think it is necessarily IN
the code you propose) is that someone could create a regular file which
looks like a directory and somehow get it linked into the filesystem
tree, giving them escalated access (e.g. device files owned by them,
suid executables, links to otherwise unreadable files, etc).

It would seem that this is only a danger if the mode on the file is
corrupted, which shouldn't really be doable by a regular user, but
it is definitely something to consider.

I take it that this code fixes the test image I previously posted?

Cheers, Andreas
--
Andreas Dilger
Principal Software Engineer
Cluster File Systems, Inc.

-
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ