lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20191104032212.GA12046@mit.edu> Date: Sun, 3 Nov 2019 22:22:12 -0500 From: "Theodore Y. Ts'o" <tytso@....edu> To: xiaohui li <lixiaohui1@...omi.corp-partner.google.com> Cc: Xiaohui1 Li 李晓辉 <lixiaohui1@...omi.com>, "linux-ext4@...r.kernel.org" <linux-ext4@...r.kernel.org>, "harshadshirwadkar@...il.com" <harshadshirwadkar@...il.com> Subject: Re: 答复: [External Mail]Re: [PATCH v3 09/13] ext4: fast-commit commit path changes On Mon, Nov 04, 2019 at 09:01:28AM +0800, xiaohui li wrote: > > when in writeback mode, inode' data has not to be waited in jbd2 > thread, so the fsync time cost is also reduced. > meawhile, writeback mode also can guarantee filesystem consistency in > os crash-reboot conditions, > with only one drawback is that it will cause security problems such as > stale data will be seen. It's not just stale data; in data=writeback, today if a file gets deleted, its blocks are immediately eligible to be reused. If there is a crash before the transaction is committed, there could be a file that would have deleted (and perhaps replaced) that doesn't in fact get deleted, but its data blocks will have been corrupted. I'm not fond of that particular behavior, and I may look to fix it, but in general, data=writeback means that data blocks may be corrupted or contain stale data after a crash --- for blocks that were freshly created, or for a file that might have been deleted, but except for the crash which means that the file deletion doesn't actually get corrupted. > but in android system with file encryption enabled, there is no > security problem as files are all encryped. > but user will see wrong file data in system crash-reboot conditions > with writeback mode enabled. If all files are encrypted, then yes, the chances of stale data causing security issues is significantly reduced. But see also the case of a file which is deleted immediately before a crash. Things are more complex in terms of the data gauarantees after a crash, which is why data=ordered is the default. Regards, - Ted
Powered by blists - more mailing lists