lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 24 Nov 2017 15:03:37 -0700
From:   Andreas Dilger <>
To:     Andi Kleen <>
Cc:     Theodore Ts'o <>, Tahsin Erdogan <>,
        Linux Kernel Mailing List <>,
        linux-fsdevel <>,
        linux-ext4 <>
Subject: Re: regression: 4.13 cannot follow symlinks on some ext3 fs

On Nov 24, 2017, at 9:51 AM, Andi Kleen <> wrote:
>> We checked old kernels, and old e2fsprogs, and didn't see any cases
>> where fast (<= 60 chars) symlinks were created using external blocks.
>> It seems that _something_ did create them, and it would be good to
>> figure that out so we can determine if it is a widespread problem
> I assume it was the original kernel.
>> I think e2fsck can fix this quite easily, and there really isn't
>> an easy way to revert to the old method if the large xattr feature
>> is enabled.  If you are willing to run a new kernel, you should also
>> be willing to run a new e2fsck.
> It's obviously not enabled on ext3.
>> We could probably add a fallback to the old mechanism (and print
>> a one-time warning to upgrade to a newer e2fsck) if an external fast
>> symlink is found and the large xattr  feature is not enabled, which
>> would give more time to fix this (hopefully rare in the wild) case.
> If the old kernel created it, then likely all the
> /lib{,64}/ symlinks have that, which breaks all ELF
> executables. I suspect in these old file systems it's not particularly rare.

Sure, but not many people are going to be running a 4.14 kernel with
a 2007 system.  Could you please run the updated find command to see
whether this is an isolated case, or if it is a common case:

find / -type l -size -60c -print0 | xargs -0r ls -dils | awk '$2 != 0 { print }'

It would also be useful if anyone else reading this that has an old
system (2005-2011 install date) ran the same to see if any such
symlinks are found.  To see when the root filesystem was created, run:

dumpe2fs -h $(df -P / | awk '/dev/ { print $1 }') 2>&1 | grep created

> So I don't think you can just break them all.

Sure.  As previously mentioned, it shouldn't have broken *any* systems
based on our prior investigation, I'm just trying to see how bad the
problem really is.  Like I said, a workaround (without need to patch
the kernel, and that is compatible with old and new kernels) is:

find / -type l -size -60c -print0 | xargs -0r ls -dils | awk '$2 != 0 { print }' |
    while read L; do ln -sfv "$(ls -l "$L" | sed -e 's/.*-> //')" "$L"; done

This just recreates any problematic symlinks in place, which should make
it a proper fast symlink.

> I think it's ok to only handle it when the large xattrs are disabled.
> Requiring new e2fsck on old systems is a bad idea.

Any worse an idea than running a new kernel on an old system?
Newer e2fsck fixes a lot of bugs that are present in older
e2fsck as well...

Cheers, Andreas

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists