lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20241112152957.GA317364@mit.edu>
Date: Tue, 12 Nov 2024 10:29:57 -0500
From: "Theodore Ts'o" <tytso@....edu>
To: Sergey Senozhatsky <senozhatsky@...omium.org>
Cc: Andreas Dilger <adilger.kernel@...ger.ca>, linux-ext4@...r.kernel.org,
        linux-kernel@...r.kernel.org
Subject: Re: ext4: possible circular locking dependency at
 ext4_xattr_inode_create

On Tue, Nov 12, 2024 at 04:34:21PM +0900, Sergey Senozhatsky wrote:
> 
> I've a following syzkaller report (no reproducer); the report is
> against 5.15, but the same call-chain seems possible in current
> upstream as well.  So I suspect that maybe ext4_xattr_inode_create()
> should take nested inode_lock (I_MUTEX_XATTR) instead.  Does the
> patch below make any sense?

These syzkaller reports result from mounting a corrupted (fuzzed) file
system typically when an inode is used in multiple contexts (e.g., as
a directory and an EA inode, etc.) at the same time.

I'd have to take a closer look to see if it makes sense, but in
general, very often whenever we try to fix one of these it ends up
triggering some other syzkaller failure.  And, these sorts of things
don't actually result in actual security problems (at worst, a hang /
denial of service attack), and the right thing to do is to just run
fsck on the !@...? file system before mounting the thing.

The best way to protect systems against threat model of users picking
up a random USB stick dropped in a parking lot that contains a
maliciously fuzzed file system is to either (a) run fsck before
allowing the file system to be mounted, (b) enable the enterprise
policy that prohibits USB thumb drives from being automounted, or (c)
mount USB stick in some kind of VM (e.g., CrosVM) and then use a
reverse virtiofs / 9pfs / fuse to make the file system be available in
the host system.

The last would be best solution, but it would require development
work.  So I mention it in the hopes that at some point I can convince
some company to pick it up, since it would significantly improve
security for all desktops, laptops, and mobile systems that want to
support mounting removeable storage.

In any case, trying to fix these sorts of syzkaller warnings is
essentially playing whack-a-mole, and so while I don't have objections
to these sorts of fixes, if it causes any kind of regression or worse,
*two* new syzkaller failures, it just makes life harder for overworked
ext4 developers.  :-)

Cheers,

						- Ted

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ