[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20150203075616.GA29656@ZenIV.linux.org.uk>
Date: Tue, 3 Feb 2015 07:56:16 +0000
From: Al Viro <viro@...IV.linux.org.uk>
To: Alexander Holler <holler@...oftware.de>
Cc: linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/5] WIP: Add syscall unlinkat_s (currently x86* only)
On Tue, Feb 03, 2015 at 07:58:50AM +0100, Alexander Holler wrote:
> > Charming. Now, what exactly happens if two such syscalls overlap in time?
>
> What do you think will happen? I assume you haven't looked at how I've
> implemented set_secure_delete(). CHarming.
AFAICS, you get random unlink() happening at the same time hit by that
mess, whether they'd asked for it or not. What's more, this counter
of yours is *not* guaranteed to be elevated during the final iput() of the
inode you wanted to get - again, ls -lR racing with that syscall can
elevate the refcount of dentry, making d_delete() in vfs_unlink() just
remove that dentry from hash, while keeping it positive. If dentry
reference grabbed by stat(2) is released after both dput() and iput() in
do_unlinkat(), the final iput() will be done when stat(2) drops its
reference to dentry, triggering immediate dentry_kill() (since dentry
has already been unhashed) and dentry_iput() from it.
IOW, this counter is both too crude (it's fs-wide, for crying out loud)
*and* not guaranteed to cover enough. _IF_ you want that behaviour at
all, it ought to be an in-core inode flag set by that syscall and
checked by truncation logics to decide whether to do normal truncate of
this "overwrite with zeroes" thing.
While we are at it, "overwrite with zeroes" is too weak if the attacker
might get hold of the actual hardware. Google for details - it's far too
long story for l-k posting. Look for data recovery and secure data erasure...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists