lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20120210225805.GA7493@boyd>
Date:	Fri, 10 Feb 2012 16:58:05 -0600
From:	Tyler Hicks <tyhicks@...onical.com>
To:	ecryptfs@...r.kernel.org, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Cc:	Li Wang <liwang@...t.edu.cn>, Jan Kara <jack@...e.cz>,
	Yong Peng <pengyong@...inos.com.cn>, viro@...iv.linux.org.uk,
	akpm@...ux-foundation.org, taysom@...omium.org,
	Thieu Le <thieule@...omium.org>
Subject: Fwd: Re: [PATCH] eCryptfs: Quota check incorrectly ignored

Thieu says his emails to the vger.kernel.org lists are bouncing.
Forwarding for completeness.

Tyler

----- Forwarded message from Thieu Le <thieule@...omium.org> -----

> Date: Fri, 10 Feb 2012 14:31:12 -0800
> From: Thieu Le <thieule@...omium.org>
> To: Tyler Hicks <tyhicks@...onical.com>
> Cc: Li Wang <liwang@...t.edu.cn>, Jan Kara <jack@...e.cz>, ecryptfs@...r.kernel.org,
> 	linux-kernel@...r.kernel.org, Yong Peng <pengyong@...inos.com.cn>, viro@...iv.linux.org.uk,
> 	linux-fsdevel@...r.kernel.org, akpm@...ux-foundation.org, taysom@...omium.org
> Subject: Re: [PATCH] eCryptfs: Quota check incorrectly ignored
> 
> +taysom
> 
> I am onboard with backing out the write-back cache patch.  It looks like
> we're just peeling the layers of this onion.
> 
> On Fri, Feb 10, 2012 at 11:41 AM, Tyler Hicks <tyhicks@...onical.com> wrote:
> 
> > On 2012-02-10 13:31:49, 'Tyler Hicks' wrote:
> > > On 2012-02-10 22:44:05, Li Wang wrote:
> > > > > -----Original Message-----
> > > > > From: Jan Kara [mailto:jack@...e.cz]
> > > > > Sent: Friday, February 10, 2012 6:32 PM
> > > > > To: Li Wang
> > > > > Cc: Tyler Hicks; ecryptfs@...r.kernel.org;
> > linux-kernel@...r.kernel.org;
> > > > Jan
> > > > > Kara; Yong Peng
> > > > > Subject: Re: [PATCH] eCryptfs: Quota check incorrectly ignored
> > > > >
> > > > > On Thu 09-02-12 19:39:32, Li Wang wrote:
> > > > > > eCryptfs recently modified the write path to perform encryption
> > > > > > and write down in ecryptfs_writepage(). This function invokes
> > > > vfs_write()
> > > > > > to write down the encrypted data to lower page cache. vfs_write()
> > will
> > > > > > first make sure this write will not exceed the quota limit for the
> > owner
> > > > > > of the file being written into, if quota is supported by
> > > > > > the underlying file system, and it is turned on. Normally, it
> > > > accomplishs
> > > > > > this job by calling check_idq()/check_bdq() (fs/quota/dquot.c).
> > When
> > > > system
> > > > > > dirty ratio is not high, ecryptfs_writepage() is normally invoked
> > by the
> > > > > > write back kernel thread, who has the capability CAP_SYS_RESOURCE,
> > > > > > this priority will let check_idq()/check_bdq() directly bypass the
> > quota
> > > > > > check. This sometimes makes data safely written into the disk in
> > spite
> > > > of
> > > > > > exceeding the quota limit.
> > > > > >
> > > > > > This patch temporarily removes the CAP_SYS_RESOURCE capability
> > from the
> > > > > kernel
> > > > > > thread before invoking vfs_write_lower(), to let it undergo quota
> > check
> > > > by
> > > > > > the lower file system, if necessary. After that, reassign the
> > > > capability.
> > > > >   Hmm, but then the error will just be thrown away by the flusher
> > thread
> > > > > and the application never learns about it? That doesn't sound like a
> > good
> > > > > solution.
> > > > >
> > > > >                                                           Honza
> > > >
> > > > Yes. we are aware of that, but we have not found better solution,
> > since it
> > > > seems
> > > > VFS does not supply a file system independent interface to check quota
> > early
> > > > and only
> > > > (fix us if we are wrong), The file systems just perform the quota
> > check in
> > > > their own way,
> > > > the routine is wrapped deeply inside the file system specific code
> > path.
> > > > Maybe we could
> > > > copy some codes from _dquot_alloc_space() & dquot_alloc_inode
> > > > (fs/quota/dquot.c) to
> > > > perform quota check on lower inode ourselves, but that is ugly, and we
> > are
> > > > not sure if it works
> > > > for any file system or not..., On the other side, due to the existence
> > of
> > > > write buffer, and io schedule,
> > > > the successful write call does not gurantee the data will be written
> > into
> > > > disk, in terms of that,
> > > > we do not change much of the semantic of write call.
> > >
> > > Maybe I should just revert 57db4e8d73ef2b5e94a3f412108dff2576670a8a
> > > (and friends) and go back to the write-through cache model for eCryptfs.
> > > The write-back model has some nice performance improvements, but we keep
> > > running into little issues like this. For write-through to work
> > > reliably, we're going to need some support from the VFS that isn't there
> > > yet.
> >
> > Sorry, that should be "For write-back to work reliably, we're going to
> > need some support from the VFS that isn't there yet."
> >
> > Tyler
> >
> > >
> > > Handling ENOSPC correctly is another area that is lacking after the
> > > switch to write-back. Currently, an application will continue to write
> > > out data without having any indication that the disk is full. Thieu
> > > proposed a fix, but it was never merged:
> > >
> > > http://article.gmane.org/gmane.linux.kernel/1209265
> > >
> > > So, what do folks think about going back to a write-through cache until
> > > we have the ability to alert the application of these error conditions?
> > >
> > > Tyler
> > >
> > > >
> > > > >
> > > > >
> > > > > >
> > > > > > Signed-off-by: Li Wang <liwang@...t.edu.cn>
> > > > > > Singed-off-by: Yong Peng <pengyong@...inos.com.cn>
> > > > > > ---
> > > > > >
> > > > > > To repeat this bug,
> > > > > >         mount -o usrquota /dev/sda3 /tmp
> > > > > >         cd /tmp
> > > > > >         edquota -u foo // set the disk quota limit for user foo be
> > m1 bytes
> > > > > >         quotaon -a
> > > > > >         mount -t ecryptfs cipher plain
> > > > > >
> > > > > >         login the system as user foo
> > > > > >         cd /tmp/plain
> > > > > >         execute the following simple program
> > > > > >
> > > > > >         int main()
> > > > > >         {
> > > > > >                 char buf[m2]; // m2>m1
> > > > > >                 FILE *f = fopen("dummy", "w");
> > > > > >                 fwrite(buf, 1, m2, f);
> > > > > >                 sleep(60); // let the kernel thread do the write
> > back job
> > > > > >                 fclose(f);
> > > > > >                 return 0;
> > > > > >         }
> > > > > >
> > > > > >         This program can write as much of data as it wants,
> > provided sleep
> > > > > enough long time before closing the file.
> > > > > >
> > > > > >  fs/ecryptfs/crypto.c |   27 +++++++++++++++++++++++++++
> > > > > >  1 files changed, 27 insertions(+), 0 deletions(-)
> > > > > >
> > > > > > diff --git a/fs/ecryptfs/crypto.c b/fs/ecryptfs/crypto.c
> > > > > > index 63ab245..2c1da29 100644
> > > > > > --- a/fs/ecryptfs/crypto.c
> > > > > > +++ b/fs/ecryptfs/crypto.c
> > > > > > @@ -457,6 +457,7 @@ int ecryptfs_encrypt_page(struct page *page)
> > > > > >         struct page *enc_extent_page = NULL;
> > > > > >         loff_t extent_offset;
> > > > > >         int rc = 0;
> > > > > > +       struct cred *cred;
> > > > > >
> > > > > >         ecryptfs_inode = page->mapping->host;
> > > > > >         crypt_stat =
> > > > > > @@ -487,8 +488,34 @@ int ecryptfs_encrypt_page(struct page *page)
> > > > > >                                    * (PAGE_CACHE_SIZE
> > > > > >                                       / crypt_stat->extent_size))
> > > > > >                                   + extent_offset), crypt_stat);
> > > > > > +               if (current->flags & PF_KTHREAD) {
> > > > > > +                       /*
> > > > > > +                         * Temporarily remove the
> > > > > CAP_SYS_RESOURCE capability
> > > > > > +                         * from the write back kernel thread to
> > let it
> > > > > undergo
> > > > > > +                         * quota check by the lower file system
> > > > > > +                         */
> > > > > > +                       cred = prepare_creds();
> > > > > > +                       if (unlikely(!cred)) {
> > > > > > +                               rc = -ENOMEM;
> > > > > > +                               goto out;
> > > > > > +                       }
> > > > > > +                       cap_lower(cred->cap_effective,
> > CAP_SYS_RESOURCE);
> > > > > > +                       commit_creds(cred);
> > > > > > +               }
> > > > > >                 rc = ecryptfs_write_lower(ecryptfs_inode,
> > enc_extent_virt,
> > > > > >                                           offset,
> > crypt_stat->extent_size);
> > > > > > +               if (current->flags & PF_KTHREAD) {
> > > > > > +                       /*
> > > > > > +                         * Reassign the CAP_SYS_RESOURCE
> > > > > capability
> > > > > > +                         */
> > > > > > +                       cred = prepare_creds();
> > > > > > +                       if (unlikely(!cred)) {
> > > > > > +                               rc = -ENOMEM;
> > > > > > +                               goto out;
> > > > > > +                       }
> > > > > > +                       cap_raise(cred->cap_effective,
> > CAP_SYS_RESOURCE);
> > > > > > +                       commit_creds(cred);
> > > > > > +               }
> > > > > >                 if (rc < 0) {
> > > > > >                         ecryptfs_printk(KERN_ERR, "Error
> > attempting "
> > > > > >                                         "to write lower page; rc =
> > [%d]"
> > > > > > --
> > > > > > 1.7.6.5
> > > > > --
> > > > > Jan Kara <jack@...e.cz>
> > > > > SUSE Labs, CR
> > > >
> >
> >
> >

----- End forwarded message -----

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ