lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 22 Jan 2024 12:50:04 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Cc: Geert Uytterhoeven <geert@...ux-m68k.org>, Kees Cook
 <keescook@...omium.org>, Linus Torvalds <torvalds@...ux-foundation.org>,
 linux-kernel@...r.kernel.org, Masami Hiramatsu <mhiramat@...nel.org>, Mark
 Rutland <mark.rutland@....com>, Andrew Morton <akpm@...ux-foundation.org>,
 Christian Brauner <brauner@...nel.org>, Al Viro <viro@...iv.linux.org.uk>,
 Ajay Kaher <ajay.kaher@...adcom.com>
Subject: Re: [for-linus][PATCH 1/3] eventfs: Have the inodes all for files
 and directories all be the same

On Mon, 22 Jan 2024 12:14:36 -0500
Mathieu Desnoyers <mathieu.desnoyers@...icios.com> wrote:

> 
> Why use an improvised hashing function (re-purposed from
> scripts/kconfig/symbol.c to a use-case which is exposed through a

That hash is just salt to the real hash function, which is the
siphash_1u32(). I added the name hash so that each file will get a little
different salt to the hash.

The siphash_1u32() is what the rest of the kernel uses for hashing kernel
address space.

> userspace ABI prone to kernel address leaks) rather than simply
> reserving values by setting bits in a bitmap ?
> 
> How many inodes do we realistically expect to have there ?

If I only do directories, it is actually significantly less.

> 
> On my 6.1.0 kernel:
> 
> find /sys/kernel/tracing | wc -l
> 15598
> 
> (mainly due to TRACE_EVENT ABI files)
> 
> Hashing risks:
> 
> - Exposing kernel addresses if the hashing algorithm is broken,

Well this was my biggest concern, but if I truncate at least a nibble, with
the unique salt to the algorithm for each file, how easily does that expose
kernel addresses.

The ei itself, is created from kmalloc() so you would at best get a heap
address. But with the missing nibble (if I mask it with ((1 << 28) - 1),
and much more taken away for 64 bit systems), and the added unique salt, is
it possible for this to expose anything that could be used in an attack?

> - Collisions if users are unlucky (which could trigger those
>    'find' errors).
> 
> Those 15598 inode values fit within a single page (bitmap of
> 1922 bytes).
> 
> So I would recommend simply adding a bitmap per tracefs filesystem
> instance to keep track of inode number allocation.

And how do I recover this bit after the inode is freed, but then referenced
again?

> 
> Creation/removal of files/directories in tracefs should not be
> a fast-path anyway, so who cares about the speed of a find first
> bit within a single page ?
> 

When an inode is no longer referenced, it is freed. When it is referenced
again, I want it to be recreated with the same inode number it had
previously. How would having a bitmask help with that? I need a way to map
an ei structure with a unique number without adding another 4 bytes to the
structure itself.

-- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ