lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 24 Aug 2020 15:42:59 -0400
From:   Jeff Layton <jlayton@...nel.org>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     linux-fscrypt@...r.kernel.org, linux-ext4@...r.kernel.org,
        linux-f2fs-devel@...ts.sourceforge.net,
        linux-mtd@...ts.infradead.org, ceph-devel@...r.kernel.org
Subject: Re: [RFC PATCH 1/8] fscrypt: add fscrypt_prepare_new_inode() and
 fscrypt_set_context()

On Mon, 2020-08-24 at 12:02 -0700, Eric Biggers wrote:
> On Mon, Aug 24, 2020 at 02:47:07PM -0400, Jeff Layton wrote:
> > On Mon, 2020-08-24 at 11:21 -0700, Eric Biggers wrote:
> > > On Mon, Aug 24, 2020 at 12:48:48PM -0400, Jeff Layton wrote:
> > > > > +void fscrypt_hash_inode_number(struct fscrypt_info *ci,
> > > > > +			       const struct fscrypt_master_key *mk)
> > > > > +{
> > > > > +	WARN_ON(ci->ci_inode->i_ino == 0);
> > > > > +	WARN_ON(!mk->mk_ino_hash_key_initialized);
> > > > > +
> > > > > +	ci->ci_hashed_ino = (u32)siphash_1u64(ci->ci_inode->i_ino,
> > > > > +					      &mk->mk_ino_hash_key);
> > > > 
> > > > i_ino is an unsigned long. Will this produce a consistent results on
> > > > arches with 32 and 64 bit long values? I think it'd be nice to ensure
> > > > that we can access an encrypted directory created on a 32-bit host from
> > > > (e.g.) a 64-bit host.
> > > 
> > > The result is the same regardless of word size and endianness.
> > > siphash_1u64(v, k) is equivalent to:
> > > 
> > > 	__le64 x = cpu_to_le64(v);
> > > 	siphash(&x, 8, k);
> > > 
> > 
> > In the case where you have an (on-storage) inode number that is larger
> > than 2^32, x will almost certainly be different on a 32 vs. 64-bit
> > wordsize.
> > 
> > On the box with the 32-bit wordsize, you'll end up promoting i_ino to a
> > 64-bit word and the upper 32 bits will be zeroed out. So it seems like
> > this means that if you're using inline hardware you're going to end up
> > with a result that won't work correctly across different wordsizes.
> 
> That's only possible if the VFS is truncating the inode number, which would also
> break userspace in lots of ways like making applications think that files are
> hard-linked together when they aren't.  Also, IV_INO_LBLK_64 would break.
> 
> The correct fix for that would be to make inode::i_ino 64-bit.
> 

...or just ask the filesystem for the 64-bit inode number via ->getattr
or a new op. You could also just truncate it down to 32 bits or xor the
top and bottom bits together first, etc...

> Note that ext4 and f2fs (currently the only filesystems that support the
> IV_INO_LBLK_* flags) only support 32-bit inode numbers.
> 

Ahh, ok. That explains why it's not been an issue so far. Still, if
you're reworking this code anyway, you might want to consider avoiding
i_ino here.

-- 
Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists