lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 14 May 2018 11:12:17 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     "Theodore Y. Ts'o" <tytso@....edu>,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        syzbot <syzbot+a9a45987b8b2daabdc88@...kaller.appspotmail.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        syzkaller <syzkaller@...glegroups.com>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        linux-ext4@...r.kernel.org, LKML <linux-kernel@...r.kernel.org>
Subject: Re: kernel panic: EXT4-fs (device loop0): panic forced after error

On Sun, May 6, 2018 at 10:30 PM, Theodore Y. Ts'o <tytso@....edu> wrote:
> On Sun, May 06, 2018 at 11:40:10PM +0900, Tetsuo Handa wrote:
>> > We could add a full kernel-mode fsck which gets run before mount ---
>> > the question is how much complexity we want to add.  If SELinux is
>> > enabled, then we have to check xattr consinsistency, etc., etc.
>>
>> You are thinking too complicated. I'm not asking for kernel-mode fsck.
>
> That is the logical outcome of what you are asking for.  There will
> *always* be a point after which where we can't atomically unwind the
> mount, and we have to proceed.  And after that point, when we detect
> an inconsistency all we can do is what the system administrator
> requested that we do.  Sure, for this particular case, we can
> significantly add more complexity and decrease the maintainability of
> the code paths involved.  But there will always be another case
> (e.g,. xattr's being read by SELinux or IMA) that will happen during
> the mount, and are we expected to catch all of those cases?
>
> We do catch a lot of cases where we refuse the mount and complain that
> the file system is badly corrupted.  This just doesn't happen to be
> one of them.
>
>> I'm just suggesting that mount() request returns an error to the caller
>> (and the administrator invokes fsck etc. as needed).
>>
>> We are fixing bugs which occur during mount operation (e.g.
>>
>>   https://groups.google.com/d/msg/syzkaller-bugs/Yp4q8n-MijM/yDX3zl1XBQAJ
>>   https://groups.google.com/d/msg/syzkaller-bugs/4C4oiBX8vZ0/W6pi8NdbBgAJ
>>   https://groups.google.com/d/msg/syzkaller-bugs/QBnHAQBy2pI/ccf-yL5bBgAJ
>
> These are different because there are kernel OOPS or warning messages.
> This is neither a kernel OOPS or a WARN_ON or BUG_ON.
>
>> And extX filesystem is different from other filesystems that it invokes
>> error action specified by errors= parameter rather than return an error to
>> the caller.
>
> Syzkaller (or anyone else) can mount the file system with
> errors=continue or errors=remount-ro if it wants to override the
> requested behavior of the flag in the superblock which is manipulated
> by tune2fs.


Filed https://github.com/google/syzkaller/issues/599 to always pass
errors=remount-ro when mounting ext4.

Powered by blists - more mailing lists