lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180506203046.GV29205@thunk.org>
Date:   Sun, 6 May 2018 16:30:47 -0400
From:   "Theodore Y. Ts'o" <tytso@....edu>
To:     Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
Cc:     syzbot+a9a45987b8b2daabdc88@...kaller.appspotmail.com,
        syzkaller-bugs@...glegroups.com, syzkaller@...glegroups.com,
        adilger.kernel@...ger.ca, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: kernel panic: EXT4-fs (device loop0): panic forced after error

On Sun, May 06, 2018 at 11:40:10PM +0900, Tetsuo Handa wrote:
> > We could add a full kernel-mode fsck which gets run before mount ---
> > the question is how much complexity we want to add.  If SELinux is
> > enabled, then we have to check xattr consinsistency, etc., etc.
> 
> You are thinking too complicated. I'm not asking for kernel-mode fsck.

That is the logical outcome of what you are asking for.  There will
*always* be a point after which where we can't atomically unwind the
mount, and we have to proceed.  And after that point, when we detect
an inconsistency all we can do is what the system administrator
requested that we do.  Sure, for this particular case, we can
significantly add more complexity and decrease the maintainability of
the code paths involved.  But there will always be another case
(e.g,. xattr's being read by SELinux or IMA) that will happen during
the mount, and are we expected to catch all of those cases?

We do catch a lot of cases where we refuse the mount and complain that
the file system is badly corrupted.  This just doesn't happen to be
one of them.

> I'm just suggesting that mount() request returns an error to the caller
> (and the administrator invokes fsck etc. as needed).
> 
> We are fixing bugs which occur during mount operation (e.g.
> 
>   https://groups.google.com/d/msg/syzkaller-bugs/Yp4q8n-MijM/yDX3zl1XBQAJ
>   https://groups.google.com/d/msg/syzkaller-bugs/4C4oiBX8vZ0/W6pi8NdbBgAJ
>   https://groups.google.com/d/msg/syzkaller-bugs/QBnHAQBy2pI/ccf-yL5bBgAJ

These are different because there are kernel OOPS or warning messages.
This is neither a kernel OOPS or a WARN_ON or BUG_ON.

> And extX filesystem is different from other filesystems that it invokes
> error action specified by errors= parameter rather than return an error to
> the caller.

Syzkaller (or anyone else) can mount the file system with
errors=continue or errors=remount-ro if it wants to override the
requested behavior of the flag in the superblock which is manipulated
by tune2fs.

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ