lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Jan 2019 11:00:46 +1100 From: Dave Chinner <david@...morbit.com> To: Jann Horn <jannh@...gle.com> Cc: Richard Henderson <rth@...ddle.net>, Ivan Kokshaysky <ink@...assic.park.msu.ru>, Matt Turner <mattst88@...il.com>, Alexander Viro <viro@...iv.linux.org.uk>, linux-fsdevel@...r.kernel.org, "Eric W. Biederman" <ebiederm@...ssion.com>, Theodore Ts'o <tytso@....edu>, Andreas Dilger <adilger.kernel@...ger.ca>, linux-alpha@...r.kernel.org, linux-kernel@...r.kernel.org, Pavel Machek <pavel@....cz> Subject: Re: [PATCH v3 1/2] fs: don't let getdents return bogus names On Mon, Jan 14, 2019 at 07:23:17PM +0100, Jann Horn wrote: > When you e.g. run `find` on a directory for which getdents returns > "filenames" that contain slashes, `find` passes those "filenames" back to > the kernel, which then interprets them as paths. That could conceivably > cause userspace to do something bad when accessing something like an > untrusted USB stick, but I'm not aware of any specific example. > > Instead of returning bogus filenames to userspace, return -EUCLEAN. Please don't use EUCLEAN directly to indicate filesystem corruption directly. If we want to indicate that the filesystem is corrupted, please hoist the multiple XFS/ext4 definitions of: #define EFSCORRUPTED EUCLEAN up into include/uapi/asm-generic/errno.h and then use EFSCORRUPTED in all the places where we want to indicate to userspace that the filesystem is corrupted. That tells both the code reader and the userspace developers that it's a corruption error and puts context to the "structure needs cleaning" text that goes along with it... Cheers, Dave. -- Dave Chinner david@...morbit.com
Powered by blists - more mailing lists