| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Apr 2023 12:31:16 +0200
From: Sergei Shtepa <sergei.shtepa@...am.com>
To: Donald Buczek <buczek@...gen.mpg.de>, <axboe@...nel.dk>,
<hch@...radead.org>, <corbet@....net>, <snitzer@...nel.org>
CC: <viro@...iv.linux.org.uk>, <brauner@...nel.org>,
<willy@...radead.org>, <kch@...dia.com>,
<martin.petersen@...cle.com>, <vkoul@...nel.org>,
<ming.lei@...hat.com>, <gregkh@...uxfoundation.org>,
<linux-block@...r.kernel.org>, <linux-doc@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>
Subject: Re: [PATCH v3 03/11] documentation: Block Devices Snapshots Module
On 4/14/23 14:34, Sergei Shtepa wrote:
> Subject:
> Re: [PATCH v3 03/11] documentation: Block Devices Snapshots Module
> From:
> Sergei Shtepa <sergei.shtepa@...am.com>
> Date:
> 4/14/23, 14:34
>
> To:
> Donald Buczek <buczek@...gen.mpg.de>, axboe@...nel.dk, hch@...radead.org, corbet@....net, snitzer@...nel.org
> CC:
> viro@...iv.linux.org.uk, brauner@...nel.org, willy@...radead.org, kch@...dia.com, martin.petersen@...cle.com, vkoul@...nel.org, ming.lei@...hat.com, gregkh@...uxfoundation.org, linux-block@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
>
>
>
> On 4/12/23 21:38, Donald Buczek wrote:
>> Subject:
>> Re: [PATCH v3 03/11] documentation: Block Devices Snapshots Module
>> From:
>> Donald Buczek <buczek@...gen.mpg.de>
>> Date:
>> 4/12/23, 21:38
>>
>> To:
>> Sergei Shtepa <sergei.shtepa@...am.com>, axboe@...nel.dk, hch@...radead.org, corbet@....net, snitzer@...nel.org
>> CC:
>> viro@...iv.linux.org.uk, brauner@...nel.org, willy@...radead.org, kch@...dia.com, martin.petersen@...cle.com, vkoul@...nel.org, ming.lei@...hat.com, gregkh@...uxfoundation.org, linux-block@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org
>>
>>
>> I think, you can trigger all kind of user-after-free when userspace deletes a snapshot image or the snapshot image and the tracker while the disk device snapshot image is kept alive (mounted or just opened) and doing I/O.
>>
>> Here is what I did to provoke that:
>>
>> root@...e:~# s=$(blksnap snapshot_create -d /dev/vdb)
>> root@...e:~# blksnap snapshot_appendstorage -i $s -f /scratch/local/test.dat
>> device path: '/dev/block/253:2'
>> allocate range: ofs=11264624 cnt=2097152
>> root@...e:~# blksnap snapshot_take -i $s
>> root@...e:~# mount /dev/blksnap-image_253\:16 /mnt
>> root@...e:~# dd if=/dev/zero of=/mnt/x.x &
>> [1] 2514
>> root@...e:~# blksnap snapshot_destroy -i $s
>> dd: writing to '/mnt/x.x': No space left on device
>> 1996041+0 records in
>> 1996040+0 records out
>> 1021972480 bytes (1.0 GB, 975 MiB) copied, 8.48923 s, 120 MB/s
>> [1]+ Exit 1 dd if=/dev/zero of=/mnt/x.x
>>
> Thanks!
> I am very glad that the blksnap tool turned out to be useful in the review.
> This snapshot deletion scenario is not the most typical, but of course it is
> quite possible.
> I will need to solve this problem and add such a scenario to the test suite.
>
Hi!
I have redesign the logic of ownership of the diff_area structure.
See patch in attach or commit.
Link: https://github.com/SergeiShtepa/linux/commit/7e927c381dcd2b2293be8315897a224d111b6f88
A test script for such a scenario has been added.
Link: https://github.com/veeam/blksnap/commit/fd0559dfedf094901d08bbf185fed288f0156433
I will be glad of any feedback.
View attachment "fix_diff_area_ownership.patch" of type "text/x-patch" (16723 bytes)
Powered by blists - more mailing lists