lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <733f591e-0e8f-8668-8298-ddb11a74df81@veeam.com>
Date:   Wed, 14 Jun 2023 11:26:20 +0200
From:   Sergei Shtepa <sergei.shtepa@...am.com>
To:     Christoph Hellwig <hch@...radead.org>,
        Dave Chinner <david@...morbit.com>
CC:     <axboe@...nel.dk>, <corbet@....net>, <snitzer@...nel.org>,
        <viro@...iv.linux.org.uk>, <brauner@...nel.org>,
        <dchinner@...hat.com>, <willy@...radead.org>, <dlemoal@...nel.org>,
        <linux@...ssschuh.net>, <jack@...e.cz>, <ming.lei@...hat.com>,
        <linux-block@...r.kernel.org>, <linux-doc@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <linux-fsdevel@...r.kernel.org>,
        Donald Buczek <buczek@...gen.mpg.de>
Subject: Re: [PATCH v5 04/11] blksnap: header file of the module interface



On 6/14/23 08:26, Christoph Hellwig wrote:
> Subject:
> Re: [PATCH v5 04/11] blksnap: header file of the module interface
> From:
> Christoph Hellwig <hch@...radead.org>
> Date:
> 6/14/23, 08:26
> 
> To:
> Dave Chinner <david@...morbit.com>
> CC:
> Sergei Shtepa <sergei.shtepa@...am.com>, axboe@...nel.dk, hch@...radead.org, corbet@....net, snitzer@...nel.org, viro@...iv.linux.org.uk, brauner@...nel.org, dchinner@...hat.com, willy@...radead.org, dlemoal@...nel.org, linux@...ssschuh.net, jack@...e.cz, ming.lei@...hat.com, linux-block@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, Donald Buczek <buczek@...gen.mpg.de>
> 
> 
> On Wed, Jun 14, 2023 at 08:25:15AM +1000, Dave Chinner wrote:
>>> + * Return: 0 if succeeded, negative errno otherwise.
>>> + */
>>> +#define IOCTL_BLKSNAP_SNAPSHOT_APPEND_STORAGE					\
>>> +	_IOW(BLKSNAP, blksnap_ioctl_snapshot_append_storage,			\
>>> +	     struct blksnap_snapshot_append_storage)
>> That's an API I'm extremely uncomfortable with. We've learnt the
>> lesson *many times* that userspace physical mappings of underlying
>> file storage are unreliable.
>>
>> i.e.  This is reliant on userspace telling the kernel the physical
>> mapping of the filesystem file to block device LBA space and then
>> providing a guarantee (somehow) that the mapping will always remain
>> unchanged. i.e. It's reliant on passing FIEMAP data from the
>> filesystem to userspace and then back into the kernel without it
>> becoming stale and somehow providing a guarantee that nothing (not
>> even the filesystem doing internal garbage collection) will change
>> it.
> Hmm, I never thought of this API as used on files that somewhere
> had a logical to physical mapping applied to them.
> 
> Sergey, is that the indtended use case?  If so we really should
> be going through the file system using direct I/O.
> 

Hi!
Thank you, Dave, for such a detailed comment. 
Yes, everything is really as you described.

This code worked quite successfully for the veeamsnap module, on the
basis of which blksnap was created. Indeed, such an allocation of an
area on a block device using a file does not look safe.

We've already discussed this with Donald Buczek <buczek@...gen.mpg.de>.
Link: https://github.com/veeam/blksnap/issues/57#issuecomment-1576569075
And I have planned work on moving to a more secure ioctl in the future.
Link: https://github.com/veeam/blksnap/issues/61

Now, thanks to Dave, it becomes clear to me how to solve this problem best.
swapfile is a good example of how to do it right.

Fixing this vulnerability will entail transferring the algorithm for
allocating the difference storage from the user-space to the blksnap code.
The changes are quite significant. The UAPI will be changed.

So I agree that the blksnap module is not good enough for upstream yet.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ