[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87y1j9ddpx.fsf@email.froward.int.ebiederm.org>
Date: Fri, 21 Jul 2023 00:40:26 -0500
From: "Eric W. Biederman" <ebiederm@...ssion.com>
To: Dmitry Vyukov <dvyukov@...gle.com>
Cc: Viacheslav Dubeyko <slava@...eyko.com>,
Matthew Wilcox <willy@...radead.org>,
Arnd Bergmann <arnd@...db.de>,
Linus Torvalds <torvalds@...ux-foundation.org>,
syzbot <syzbot+7bb7cd3595533513a9e7@...kaller.appspotmail.com>,
Andrew Morton <akpm@...ux-foundation.org>,
christian.brauner@...ntu.com,
Damien Le Moal <damien.lemoal@...nsource.wdc.com>,
Jeff Layton <jlayton@...nel.org>,
Linux FS Devel <linux-fsdevel@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>,
syzkaller-bugs@...glegroups.com,
ZhangPeng <zhangpeng362@...wei.com>,
linux-m68k@...ts.linux-m68k.org
Subject: Re: [syzbot] [hfs?] WARNING in hfs_write_inode
Dmitry Vyukov <dvyukov@...gle.com> writes:
> On Thu, 5 Jan 2023 at 17:45, Viacheslav Dubeyko <slava@...eyko.com> wrote:
>> > On Wed, Jan 04, 2023 at 08:37:16PM -0800, Viacheslav Dubeyko wrote:
>> >> Also, as far as I can see, available volume in report (mount_0.gz) somehow corrupted already:
>> >
>> > Syzbot generates deliberately-corrupted (aka fuzzed) filesystem images.
>> > So basically, you can't trust anything you read from the disc.
>> >
>>
>> If the volume has been deliberately corrupted, then no guarantee that file system
>> driver will behave nicely. Technically speaking, inode write operation should never
>> happened for corrupted volume because the corruption should be detected during
>> b-tree node initialization time. If we would like to achieve such nice state of HFS/HFS+
>> drivers, then it requires a lot of refactoring/implementation efforts. I am not sure that
>> it is worth to do because not so many guys really use HFS/HFS+ as the main file
>> system under Linux.
>
>
> Most popular distros will happily auto-mount HFS/HFS+ from anything
> inserted into USB (e.g. what one may think is a charger). This creates
> interesting security consequences for most Linux users.
> An image may also be corrupted non-deliberately, which will lead to
> random memory corruptions if the kernel trusts it blindly.
I am going to point out that there are no known linux filesystems
that are safe to mount when someone has written a deliberately
corrupted filesystem on a usb stick.
Some filesystems like ext4 make a best effort to fix bugs of this sort
as they are discovered but unless something has changed since last I
looked no one makes the effort to ensure that it is 100% safe to mount
any possible corrupted version of any Linux filesystem.
If there is any filesystem in Linux that is safe to automount from
an untrusted USB stick I really would like to hear about it. We could
allow mounting them in unprivileged user namespaces and give all kinds
of interesting capabilities to our users.
As it is I respectfully suggest that if there is a security issue it is
the userspace code that automounts any filesystem on an untrusted USB
stick.
Eric
Powered by blists - more mailing lists