lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 3 Feb 2015 07:56:16 +0000
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Alexander Holler <holler@...oftware.de>
Cc:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/5] WIP: Add syscall unlinkat_s (currently x86* only)

On Tue, Feb 03, 2015 at 07:58:50AM +0100, Alexander Holler wrote:

> > Charming.  Now, what exactly happens if two such syscalls overlap in time?
> 
> What do you think will happen? I assume you haven't looked at how I've
> implemented set_secure_delete(). CHarming.

AFAICS, you get random unlink() happening at the same time hit by that
mess, whether they'd asked for it or not.  What's more, this counter
of yours is *not* guaranteed to be elevated during the final iput() of the
inode you wanted to get - again, ls -lR racing with that syscall can
elevate the refcount of dentry, making d_delete() in vfs_unlink() just
remove that dentry from hash, while keeping it positive.  If dentry
reference grabbed by stat(2) is released after both dput() and iput() in
do_unlinkat(), the final iput() will be done when stat(2) drops its
reference to dentry, triggering immediate dentry_kill() (since dentry
has already been unhashed) and dentry_iput() from it.

IOW, this counter is both too crude (it's fs-wide, for crying out loud)
*and* not guaranteed to cover enough.  _IF_ you want that behaviour at
all, it ought to be an in-core inode flag set by that syscall and
checked by truncation logics to decide whether to do normal truncate of
this "overwrite with zeroes" thing.

While we are at it, "overwrite with zeroes" is too weak if the attacker
might get hold of the actual hardware.  Google for details - it's far too
long story for l-k posting.  Look for data recovery and secure data erasure...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists