lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <000001d95898$456301d0$d0290570$@samsung.com>
Date:   Fri, 17 Mar 2023 15:18:20 +0900
From:   ±æ¿µÁø/System Core Lab.(MX)/»ï¼ºÀüÀÚ 
        <youngjin.gil@...sung.com>
To:     "'Eric Biggers'" <ebiggers@...nel.org>
Cc:     <agk@...hat.com>, <snitzer@...nel.org>, <dm-devel@...hat.com>,
        <linux-kernel@...r.kernel.org>,
        "'Sungjong Seo'" <sj1557.seo@...sung.com>,
        "'Nathan Huckleberry'" <nhuck@...gle.com>,
        "'Sami Tolvanen'" <samitolvanen@...gle.com>
Subject: RE: [PATCH] dm verity: fix error handling for check_at_most_once

Hi Eric,
Thank you for your detailed feedback.
> Hi Yeongjin,
> 
> On Thu, Mar 16, 2023 at 12:18:42PM +0900, Yeongjin Gil wrote:
> > In verity_work(), the return value of verity_verify_io() is converted
> > to blk_status and passed to verity_finish_io(). BTW, when a bit is set
> > in
> > v->validated_blocks, verity_verify_io() skips verification regardless
> > v->of
> > I/O error for the corresponding bio. In this case, the I/O error could
> > not be returned properly, and as a result, there is a problem that
> > abnormal data could be read for the corresponding block.
> >
> > To fix this problem, when an I/O error occurs, do not skip
> > verification even if the bit related is set in v->validated_blocks.
> >
> > Fixes: 843f38d382b1 ("dm verity: add 'check_at_most_once' option to
> > only validate hashes once")
> >
> > Signed-off-by: Sungjong Seo <sj1557.seo@...sung.com>
> > Signed-off-by: Yeongjin Gil <youngjin.gil@...sung.com>
> > ---
> >  drivers/md/dm-verity-target.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/drivers/md/dm-verity-target.c
> > b/drivers/md/dm-verity-target.c index ade83ef3b439..9316399b920e
> > 100644
> > --- a/drivers/md/dm-verity-target.c
> > +++ b/drivers/md/dm-verity-target.c
> > @@ -523,7 +523,7 @@ static int verity_verify_io(struct dm_verity_io *io)
> >  		sector_t cur_block = io->block + b;
> >  		struct ahash_request *req = verity_io_hash_req(v, io);
> >
> > -		if (v->validated_blocks &&
> > +		if (v->validated_blocks && bio->bi_status == BLK_STS_OK &&
> >  		    likely(test_bit(cur_block, v->validated_blocks))) {
> >  			verity_bv_skip_block(v, io, iter);
> >  			continue;
> 
> Thanks for sending this patch!  This looks like a correct fix, but I have
> some
> comments:
> 
> * Using "check_at_most_once" is strongly discouraged, as it reduces
> security.
>   If you are using check_at_most_once to improve performance at the cost
> of
>   reduced security, please consider that very recently, dm-verity
> performance
>   has significantly improved due to the removal of the WQ_UNBOUND
> workqueue flag
>   which was causing significant I/O latency.  See commit c25da5b7baf1
>   ("dm verity: stop using WQ_UNBOUND for verify_wq").
> 
> * I think your commit message does not explain a key aspect of the problem
> which
>   is why is verity even attempted when the underlying I/O has failed?
> This
>   appears to be because of the Forward Error Correction (FEC) feature.
So,
> this
>   issue is specific to the case where both FEC and check_at_most_once is
> used.
>   Can you make your commit message explain this?
Okay. I will update commit message.
> 
> * This patch does not appear to have been received by the dm-devel mailing
> list,
>   which is the list where dm-verity patches should be reviewed on.  It
> doesn't
>   show up in the archive at https://lore.kernel.org/dm-devel.  Also, I'm
>   subscribed to dm-devel and I didn't receive this patch in my inbox.  (I
> had to
>   download it from https://lore.kernel.org/lkml instead.)  Did you receive
> a
>   bounce message when you sent this patch?
I am not sure but I received message from googlemail.com as follow
"totte@...gle.com because the address couldn't be found".
I will try to send v2 patch exclude totte@...gle.com and check the mailing.
> 
> * Please add 'Cc: stable@...r.kernel.org' to the commit message, just
> below the
>   Fixes line, as per Documentation/process/stable-kernel-rules.rst.  This
> will
>   ensure that the fix will be backported to the stable kernels.
Okay.
> 
> * "Signed-off-by: Sungjong Seo <sj1557.seo@...sung.com>" does not have a
>   corresponding Author or Co-developed-line, which is not allowed.  Did
> you mean
>   to list Sungjong as the Author or as a co-author?
I created a patch through an internal review with Sungjong.
I will change the tag to "Reviewed-by"
> 
> * No blank line between Fixes and the Signed-off-by line(s), please.
Okay. Thanks. I will send v2 patch soon.
> 
> Thanks!
> 
> - Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ