lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 28 Jun 2018 13:55:49 -0600
From:   Andreas Dilger <adilger@...ger.ca>
To:     Lukas Czerner <lczerner@...hat.com>
Cc:     linux-ext4@...r.kernel.org
Subject: Re: [PATCH] e2fsck: do not allow initialized blocks pass i_size

On Jun 28, 2018, at 7:59 AM, Lukas Czerner <lczerner@...hat.com> wrote:
> 
> We do not allow initialized blocks to exist past i_size as this could
> lead to stale data exposure.

I don't think this is any more dangerous than uninitialized bytes beyond
i_size in the same block, or as a hole in the middle of the file exposing
stale data.  That is to say, there is some risk, but not any worse.  The
converse is true also - extending i_size to the end of the allocated blocks
will not only expose that data, but in some cases make applications think
the file is corrupted because there are now NULs at the end of the file.

If we think that the existing f_eofblocks test covers the same, then I'm
OK with removing this test.  However, the one nice thing about the new test
is that it is generated by test scripts rather than being a binary blob,
so it is more clear what is being tested.

Cheers, Andreas

> 
> Remove test f_pgsize_gt_blksize because it is testing for the scenario
> that not allowed. f_eofblocks is already testing for this.
> 
> Signed-off-by: Lukas Czerner <lczerner@...hat.com>
> ---
> e2fsck/pass1.c                     | 12 ++----------
> tests/f_eofblocks/expect.1         |  2 ++
> tests/f_pgsize_gt_blksize/expect.1 |  7 -------
> tests/f_pgsize_gt_blksize/expect.2 |  7 -------
> tests/f_pgsize_gt_blksize/name     |  1 -
> tests/f_pgsize_gt_blksize/script   | 18 ------------------
> 6 files changed, 4 insertions(+), 43 deletions(-)
> delete mode 100644 tests/f_pgsize_gt_blksize/expect.1
> delete mode 100644 tests/f_pgsize_gt_blksize/expect.2
> delete mode 100644 tests/f_pgsize_gt_blksize/name
> delete mode 100644 tests/f_pgsize_gt_blksize/script
> 
> diff --git a/e2fsck/pass1.c b/e2fsck/pass1.c
> index f1fa5d94..461f5fb6 100644
> --- a/e2fsck/pass1.c
> +++ b/e2fsck/pass1.c
> @@ -3448,16 +3448,8 @@ static void check_blocks(e2fsck_t ctx, struct problem_context *pctx,
> 
> 		size = EXT2_I_SIZE(inode);
> 		if ((pb.last_init_lblock >= 0) &&
> -		    /* if size is smaller than expected by the block count,
> -		     * allow allocated blocks to end of PAGE_SIZE.
> -		     * last_init_lblock is the last in-use block, so it is
> -		     * the minimum expected file size, but +1 because it is
> -		     * the base-zero block number and not the block count. */
> -		    (size < (__u64)pb.last_init_lblock * fs->blocksize) &&
> -		    ((pb.last_init_lblock + 1) / blkpg * blkpg !=
> -		     (pb.last_init_lblock + 1) ||
> -		     size < (__u64)(pb.last_init_lblock & ~(blkpg - 1)) *
> -		     fs->blocksize))
> +		    /* Do not allow initialized allocated blocks past i_size*/
> +		    (size < (__u64)pb.last_init_lblock * fs->blocksize))
> 			bad_size = 3;
> 		else if (!(extent_fs && (inode->i_flags & EXT4_EXTENTS_FL)) &&
> 			 size > ext2_max_sizes[fs->super->s_log_block_size])
> diff --git a/tests/f_eofblocks/expect.1 b/tests/f_eofblocks/expect.1
> index 34222480..f224b7da 100644
> --- a/tests/f_eofblocks/expect.1
> +++ b/tests/f_eofblocks/expect.1
> @@ -1,4 +1,6 @@
> Pass 1: Checking inodes, blocks, and sizes
> +Inode 30, i_size is 2048, should be 4096.  Fix? yes
> +
> Inode 31, i_size is 2048, should be 6144.  Fix? yes
> 
> Pass 2: Checking directory structure
> diff --git a/tests/f_pgsize_gt_blksize/expect.1 b/tests/f_pgsize_gt_blksize/expect.1
> deleted file mode 100644
> index c00f5db5..00000000
> --- a/tests/f_pgsize_gt_blksize/expect.1
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -Pass 1: Checking inodes, blocks, and sizes
> -Pass 2: Checking directory structure
> -Pass 3: Checking directory connectivity
> -Pass 4: Checking reference counts
> -Pass 5: Checking group summary information
> -test_filesys: 12/32 files (0.0% non-contiguous), 40/100 blocks
> -Exit status is 0
> diff --git a/tests/f_pgsize_gt_blksize/expect.2 b/tests/f_pgsize_gt_blksize/expect.2
> deleted file mode 100644
> index c00f5db5..00000000
> --- a/tests/f_pgsize_gt_blksize/expect.2
> +++ /dev/null
> @@ -1,7 +0,0 @@
> -Pass 1: Checking inodes, blocks, and sizes
> -Pass 2: Checking directory structure
> -Pass 3: Checking directory connectivity
> -Pass 4: Checking reference counts
> -Pass 5: Checking group summary information
> -test_filesys: 12/32 files (0.0% non-contiguous), 40/100 blocks
> -Exit status is 0
> diff --git a/tests/f_pgsize_gt_blksize/name b/tests/f_pgsize_gt_blksize/name
> deleted file mode 100644
> index 3aa02027..00000000
> --- a/tests/f_pgsize_gt_blksize/name
> +++ /dev/null
> @@ -1 +0,0 @@
> -PAGE_SIZE larger than blocksize with hole at end
> diff --git a/tests/f_pgsize_gt_blksize/script b/tests/f_pgsize_gt_blksize/script
> deleted file mode 100644
> index 422b83ae..00000000
> --- a/tests/f_pgsize_gt_blksize/script
> +++ /dev/null
> @@ -1,18 +0,0 @@
> -SKIP_GUNZIP="true"
> -
> -touch $TMPFILE
> -$MKE2FS -N 32 -F -o Linux -b 1024 $TMPFILE 100 > /dev/null 2>&1
> -
> -DATA_FILE=$(mktemp ${TMPDIR:-/tmp}/e2fsprogs-zerodata.XXXXXX)
> -dd if=$TEST_BITS of=$DATA_FILE bs=1k count=16 > /dev/null 2>&1
> -$DEBUGFS -w $TMPFILE << EOF > /dev/null 2>&1
> -write $DATA_FILE foo
> -set_inode_field foo size 13000
> -q
> -EOF
> -
> -. $cmd_dir/run_e2fsck
> -
> -rm -f $DATA_FILE
> -
> -unset DATA_FILE
> --
> 2.17.1
> 


Cheers, Andreas






Download attachment "signature.asc" of type "application/pgp-signature" (874 bytes)

Powered by blists - more mailing lists