lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bug-214665-13602@https.bugzilla.kernel.org/>
Date:   Sat, 09 Oct 2021 10:23:45 +0000
From:   bugzilla-daemon@...zilla.kernel.org
To:     linux-ext4@...r.kernel.org
Subject: [Bug 214665] New: security bug:using "truncate" bypass disk quotas
 limit

https://bugzilla.kernel.org/show_bug.cgi?id=214665

            Bug ID: 214665
           Summary: security bug:using "truncate" bypass disk quotas limit
           Product: File System
           Version: 2.5
    Kernel Version: 3.10.0-1160.36.2.el7.x86_64
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: ext4
          Assignee: fs_ext4@...nel-bugs.osdl.org
          Reporter: 1157599735@...com
        Regression: No

* Overview

  system user can bypass "disk quota limit" using "truncate -s 10T id" command
(that can create a file whose size is 10T).

* Steps to Reproduce

  1. create a user and setup a disk quota for this user

    create user "test"
    ```
    useradd test
    ```

    create filesystem
    ```
    [root@...0-50-0-18 ~]# dd if=/dev/zero of=ext4 bs=1G count=1
    [root@...0-50-0-18 ~]# mkfs.ext4 ext4
    [root@...0-50-0-18 ~]# mkdir -p /tmp/test && chmod -R 777 /tmp/test &&
mount -o usrquota,grpquota ext4 /tmp/test
    ```

    setup disk quota
    ```
    [root@...0-50-0-18 ~]# quotacheck -u /tmp/test/       # create
"aquota.user" file
    [root@...0-50-0-18 ~]# edquota -u test
    [root@...0-50-0-18 ~]# quotaon /tmp/test/ -u    # open quota service
    ```

    the quota setting is like below: user "test" can not use disk space which
size exceed 10K.
    ```
    Disk quotas for user test (uid 1000):
    Filesystem                   blocks       soft       hard     inodes    
soft     hard
    /dev/loop0                        0          10          10          0     
  0        0
    ```

  2. verify the quota limit using "dd"

    ```
    [root@...0-50-0-18 ~]# su - test
    上一次登录:六 10月  9 18:14:31 CST 2021pts/1 上
    [test@...0-50-0-18 ~]$ dd if=/dev/zero of=/tmp/test/id bs=20K count=1
    loop0: write failed, user block limit reached.            # yes,this limit
is as expected
    dd: error writing ‘/tmp/test/id’: Disk quota exceeded
    1+0 records in
    0+0 records out
    8192 bytes (8.2 kB) copied, 0.000221445 s, 37.0 MB/s
    ```

    this result is as expected: "test" user can not write file whose size is
more than 10K.

  3. verify the quota limit using "truncate"

    ```
    [test@...0-50-0-18 test]$ truncate -s 10T id
    [test@...0-50-0-18 test]$ ll -h id
    -rw-rw-r-- 1 test test 10T Oct  9 17:16 id
    ```

    actual results is: "test" user can create file whose size is 10T, larger
more than 10K

    expected result is: like "dd result" above,  "test" user can not write file
whose size is more than 10K.

-- 
You may reply to this email to add a comment.

You are receiving this mail because:
You are watching the assignee of the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ