lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 14 Apr 2023 14:34:47 +0200
From:   Sergei Shtepa <sergei.shtepa@...am.com>
To:     Donald Buczek <buczek@...gen.mpg.de>, <axboe@...nel.dk>,
        <hch@...radead.org>, <corbet@....net>, <snitzer@...nel.org>
CC:     <viro@...iv.linux.org.uk>, <brauner@...nel.org>,
        <willy@...radead.org>, <kch@...dia.com>,
        <martin.petersen@...cle.com>, <vkoul@...nel.org>,
        <ming.lei@...hat.com>, <gregkh@...uxfoundation.org>,
        <linux-block@...r.kernel.org>, <linux-doc@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH v3 03/11] documentation: Block Devices Snapshots Module



On 4/12/23 21:38, Donald Buczek wrote:
> Subject:
> Re: [PATCH v3 03/11] documentation: Block Devices Snapshots Module
> From:
> Donald Buczek <buczek@...gen.mpg.de>
> Date:
> 4/12/23, 21:38
> 
> To:
> Sergei Shtepa <sergei.shtepa@...am.com>, axboe@...nel.dk, hch@...radead.org, corbet@....net, snitzer@...nel.org
> CC:
> viro@...iv.linux.org.uk, brauner@...nel.org, willy@...radead.org, kch@...dia.com, martin.petersen@...cle.com, vkoul@...nel.org, ming.lei@...hat.com, gregkh@...uxfoundation.org, linux-block@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
> 
> 
> I think, you can trigger all kind of user-after-free when userspace deletes a snapshot image or the snapshot image and the tracker while the disk device snapshot image is kept alive (mounted or just opened) and doing I/O.
> 
> Here is what I did to provoke that:
> 
> root@...e:~# s=$(blksnap snapshot_create -d /dev/vdb)
> root@...e:~# blksnap snapshot_appendstorage -i $s -f /scratch/local/test.dat
> device path: '/dev/block/253:2'
> allocate range: ofs=11264624 cnt=2097152
> root@...e:~# blksnap snapshot_take -i $s
> root@...e:~# mount /dev/blksnap-image_253\:16 /mnt
> root@...e:~# dd if=/dev/zero of=/mnt/x.x &
> [1] 2514
> root@...e:~# blksnap snapshot_destroy -i $s
> dd: writing to '/mnt/x.x': No space left on device
> 1996041+0 records in
> 1996040+0 records out
> 1021972480 bytes (1.0 GB, 975 MiB) copied, 8.48923 s, 120 MB/s
> [1]+  Exit 1                  dd if=/dev/zero of=/mnt/x.x
> 

Thanks!
I am very glad that the blksnap tool turned out to be useful in the review.
This snapshot deletion scenario is not the most typical, but of course it is
quite possible.
I will need to solve this problem and add such a scenario to the test suite.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ