lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAGudoHHB6CsVntmBTgXd_nP727eGg6xr_cPe2=p6FyAN=rTvzw@mail.gmail.com>
Date: Sat, 22 Feb 2025 13:12:47 +0100
From: Mateusz Guzik <mjguzik@...il.com>
To: Kees Cook <kees@...nel.org>
Cc: Ronald Monthero <debug.penguin32@...il.com>, al@...rsen.net, gustavoars@...nel.org, 
	linux-kernel@...r.kernel.org, linux-hardening@...r.kernel.org, 
	brauner@...nel.org, jack@...e.cz, linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] qnx4: fix to avoid panic due to buffer overflow

On Fri, Feb 21, 2025 at 6:38 PM Kees Cook <kees@...nel.org> wrote:
>
> On Fri, Feb 21, 2025 at 03:51:23PM +0100, Mateusz Guzik wrote:
> > On Sun, Nov 12, 2023 at 07:53:53PM +1000, Ronald Monthero wrote:
> > > qnx4 dir name length can vary to be of maximum size
> > > QNX4_NAME_MAX or QNX4_SHORT_NAME_MAX depending on whether
> > > 'link info' entry is stored and the status byte is set.
> > > So to avoid buffer overflow check di_fname length
> > > fetched from (struct qnx4_inode_entry *)
> > > before use in strlen to avoid buffer overflow.
> > >
> >
> > Inspired by removals of reiserfs and sysv I decided to try to whack
> > qnx4.
>
> I have no strong opinion here beyond just pointing out that it appears
> that the qnx4 fs is still extant in the world. QNX itself is still alive
> and well and using this filesystem based on what I can find.
>

I'm aware.

However, we reached a point where should someone need to access a
now-removed filesystem, they can spin up a VM with an older system to
do it (including with one of the myriad Linux distro releases).
Suppose support disappears tomorrow. You still have something like
debian which will have a kernel with the module for several years. But
suppose you are years down the road and all the Linux distros which
had it are past EOL and you still need it. For the purpose of reading
the sucker, you can still use them.

So I don't believe this will cut anyone off of transferring data out
of a filesystem which got whacked upstream. That's concerning old
filesystems in general.

As for qnx4 in particular, should you git log on it, you will find the
support is read-only. And should you read between the commits (if you
will) I am not at all convinced even that was high quality to begin
with -- looks like an abandoned WIP.

General tune is not holding the codebase hostage to obsolete (and
probably not at all operational) components. If in doubt, prune it.

This reminded me of a funny remark made by someone else concerning
removal of drivers for stale hardware. It was in the lines of "if you
ask if anyone is still using it, someone will respond they have an old
machine in their garage which they were totally going to boot up this
weekend. if you just remove it, nobody will ever notice".

If it was not for the aforementioned bugfix, I would be sending a
removal instead.
-- 
Mateusz Guzik <mjguzik gmail.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ