lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 May 2021 17:05:20 -0400
From:   "Theodore Ts'o" <tytso@....edu>
To:     Leah Rumancik <leah.rumancik@...il.com>
Cc:     linux-ext4@...r.kernel.org
Subject: Re: [PATCH v4 2/3] ext4: add ioctl EXT4_IOC_CHECKPOINT

On Tue, May 11, 2021 at 06:04:27PM +0000, Leah Rumancik wrote:
> +static int ext4_ioctl_checkpoint(struct file *filp, unsigned long arg)
> +{
> +	int err = 0;
> +	unsigned long long flags = 0;
> +	struct super_block *sb = file_inode(filp)->i_sb;
> +
> +	if (copy_from_user(&flags, (__u64 __user *)arg,
> +				sizeof(__u64)))
> +		return -EFAULT;
> +
> +	if (flags & EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN)
> +		return 0;

We should document exactly what "Dry run" means.  Right now, it looks
like it's used so we can tell whether the ioctl is support at all.  It
might be better to do all of the checks first, so that if
EXT4_IOC_CHECKPOINT_FLAG_DRY_RUN is set, and the ioctl returns
success, we know that all of the ioctl would succeed.  This would
allow us to use DRY_RUN to check to see if a future flag bit is supported.

> +
> +	if (!capable(CAP_SYS_ADMIN))
> +		return -EPERM;
> +
> +	/* file argument is not the mount point */
> +	if (file_dentry(filp) != sb->s_root)
> +		return -EINVAL;

I'm not sure we need to require that EXT4_IOC_CHECKPOINT has to be
called with the mount point, especially given that only process with
root privs will be allowed to call the ioctl.  SoI'd suggest removing
the check above, and allowing a file descriptor opened on any file or
directory on the file system to be sufficient to trigger the ioctl.

> +	/* filesystem is not backed by block device */
> +	if (sb->s_bdev == NULL)
> +		return -ENODEV;

This should never be the case for ext4....

> +
> +	/* check for invalid bits set */
> +	if (flags & ~(EXT4_IOC_CHECKPOINT_FLAG_DISCARD |
> +				EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT))
> +		return -EINVAL;
> +
> +	/* both discard and zeroout cannot be set */
> +	if (flags & EXT4_IOC_CHECKPOINT_FLAG_DISCARD &
> +				EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT)
> +		return -EINVAL;

This check isn't correct; see a similar comment that I made on patch
#1 of this series.

> +
> +	if (flags & EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT)
> +		pr_info_ratelimited("warning: checkpointing journal with EXT4_IOC_CHECKPOINT_FLAG_ZEROOUT can be slow");
> +
> +	if (!EXT4_SB(sb)->s_journal)
> +		return -ENODEV;

So this is where I would actually move the DRY_RUN flag check (and
then I'd move the pr_info_ratelimited check after the DRY_RUN check).

Cheers,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ