| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 12 Mar 2016 09:30:47 +1100 From: Dave Chinner <david@...morbit.com> To: Linus Torvalds <torvalds@...ux-foundation.org> Cc: Andy Lutomirski <luto@...capital.net>, One Thousand Gnomes <gnomes@...rguk.ukuu.org.uk>, Ric Wheeler <rwheeler@...hat.com>, Theodore Ts'o <tytso@....edu>, Gregory Farnum <greg@...gs42.com>, "Martin K. Petersen" <martin.petersen@...cle.com>, Christoph Hellwig <hch@...radead.org>, "Darrick J. Wong" <darrick.wong@...cle.com>, Jens Axboe <axboe@...nel.dk>, Andrew Morton <akpm@...ux-foundation.org>, Linux API <linux-api@...r.kernel.org>, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, shane.seymour@....com, Bruce Fields <bfields@...ldses.org>, linux-fsdevel <linux-fsdevel@...r.kernel.org>, Jeff Layton <jlayton@...chiereds.net>, Eric Sandeen <esandeen@...hat.com> Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks On Fri, Mar 11, 2016 at 10:25:30AM -0800, Linus Torvalds wrote: > On Fri, Mar 11, 2016 at 9:30 AM, Andy Lutomirski <luto@...capital.net> wrote: > > > > What if we had an ioctl to do these data-leaking operations that took, > > as an extra parameter, an fd to the block device node. They allow > > access if the fd points to the right inode and has FMODE_READ (and LSM > > checks say it's okay). Sure, it's awkward, but it's much safer. > > That sounds absolutely horrible. > > I'd *much* prefer the suggestion from Alan to simply have a mount-time > option to enable it. That way, you will never get any surprises, and > no "subtle new behavior for somebody who set their system up in a way > that doesn't allow for this". > > So you'd have to explicitly say "my setup is ok with hole punching". Except it's not hole punching that is the problem. Hoel punching makes sure that the underlying blocksare removed and so whatever data is in them cannot be accessed any more. The problem here is preallocation of unwritten blocks that expose the stale data if the filesystem skips marking those blocks as unwritten. And, so, what happens when a file that is preallocated with the unwritten bit so it exposes stale data then has it's owner/group changed? Or copied by root/user in privileged group to a different location that other users can access? Or any of the other vectors that can result in the stale data being copied/made available to unprivileged users? It's all well and good to restrict access to the fallocate() call to limit who can expose stale data, but it doesn't remove the fact it is easy for stale data to unintentionally escape the privileged group once it has been exposed because there is no record of the fact the file contains uninitialised blocks.... Cheers, Dave. -- Dave Chinner david@...morbit.com
Powered by blists - more mailing lists