From: Christoph Anton Mitterer <calestyo@scientia.net>
To: Chris Murphy <lists@colorremedies.com>,
"Austin S. Hemmelgarn" <ahferroin7@gmail.com>
Cc: Btrfs BTRFS <linux-btrfs@vger.kernel.org>
Subject: Re: attacking btrfs filesystems via UUID collisions?
Date: Tue, 15 Dec 2015 01:35:00 +0100 [thread overview]
Message-ID: <1450139700.701.50.camel@scientia.net> (raw)
In-Reply-To: <CAJCQCtTuETCh_n3dnhPbVBx6_0dcAmNgNWN_bpsTE8goH8byKg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2133 bytes --]
On Mon, 2015-12-14 at 14:26 -0700, Chris Murphy wrote:
> The automobile is invented and due to the ensuing chaos, common
> practice of doing whatever the F you wanted came to an end in favor
> of
> rules of the road and traffic lights. I'm sure some people went
> ballistic, but for the most part things were much better without the
> brokenness or prior common practice.
Okay than take your road traffic example, apply it to filesystems.
In road traffic you have rules, e.g. pedestrians may cross the road
when their light shows green and that of the cars red.
That could be the rule, similar as to "don't have duplicate UUIDs with
btrfs".
Despite we have the rule, cars stop at red, pedestrians walk at green,
we still teach our kids: "look at both sides on the road, only cross if
there's no car (or tank or whatever ;) ) crossing.
Applying that to filesystems would be: "hope that everyone plays the
rules, but don't kill yourself in one doesn't and there are duplicate
IDs).
> So the fact we're going to have this problem with all file systems
> that incorporate the volume UUID into the metadata stream, tells me
> that the very rudimentary common practice of using dd needs to go
> away, in general practice.
Sure, for those that use multiple devices (LVM, MD, etc.), or for those
that actually just use the UUID to select the block device for each
write/read (and not use these only "once") to get the right major/minor
dev id (or whatever the kernel uses internally for path based
addressing).
> http://www.ietf.org/rfc/rfc4122.txt
> "A UUID is 128 bits long, and can guarantee uniqueness across space
> and time."
But of course not in terms of the problems we're talking about here,
where UUIDs may be accidentally or maliciously duplicated.
> Also see security considerations in section 6.
Doesn't section 6 basically imply that you can not 100% guarantee
they're equal? E.g. bad random seed on multiple systems?
Also, IIRC, one of the UUID algos just used some combination of MAC,
time and PID... which especially in VMs may even lead to dupes.
Cheers,
Chris.
[-- Attachment #2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5313 bytes --]
next prev parent reply other threads:[~2015-12-15 0:35 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-04 12:05 Subvolume UUID, data corruption? S.J
2015-12-04 13:07 ` Hugo Mills
2015-12-05 3:28 ` Christoph Anton Mitterer
2015-12-05 5:52 ` attacking btrfs filesystems via UUID collisions? (was: Subvolume UUID, data corruption?) Christoph Anton Mitterer
2015-12-05 12:01 ` Subvolume UUID, data corruption? Hugo Mills
2015-12-06 1:51 ` attacking btrfs filesystems via UUID collisions? (was: Subvolume UUID, data corruption?) Christoph Anton Mitterer
2015-12-11 12:33 ` Subvolume UUID, data corruption? Austin S. Hemmelgarn
2015-12-05 13:19 ` Duncan
2015-12-06 1:51 ` attacking btrfs filesystems via UUID collisions? (was: Subvolume UUID, data corruption?) Christoph Anton Mitterer
2015-12-06 4:06 ` Duncan
2015-12-09 5:07 ` Christoph Anton Mitterer
2015-12-09 11:54 ` Duncan
2015-12-06 14:34 ` attacking btrfs filesystems via UUID collisions? Qu Wenruo
2015-12-06 20:55 ` Chris Murphy
2015-12-09 5:39 ` Christoph Anton Mitterer
2015-12-09 21:48 ` S.J.
2015-12-10 12:08 ` Austin S Hemmelgarn
2015-12-10 12:41 ` Hugo Mills
2015-12-10 12:57 ` S.J.
2015-12-10 19:42 ` Chris Murphy
2015-12-11 22:21 ` Christoph Anton Mitterer
2015-12-11 22:32 ` Christoph Anton Mitterer
2015-12-11 23:06 ` Chris Murphy
2015-12-12 1:34 ` S.J.
2015-12-14 0:28 ` Christoph Anton Mitterer
2015-12-14 0:27 ` Christoph Anton Mitterer
2015-12-14 13:23 ` Austin S. Hemmelgarn
2015-12-14 21:26 ` Chris Murphy
2015-12-15 0:35 ` Christoph Anton Mitterer [this message]
2015-12-15 13:54 ` Austin S. Hemmelgarn
2015-12-15 14:18 ` Hugo Mills
2015-12-15 14:27 ` Austin S. Hemmelgarn
2015-12-15 14:42 ` Hugo Mills
2015-12-15 16:03 ` Austin S. Hemmelgarn
2015-12-16 12:14 ` Christoph Anton Mitterer
2015-12-16 12:10 ` Christoph Anton Mitterer
2015-12-16 12:03 ` Christoph Anton Mitterer
2015-12-16 14:41 ` Chris Mason
2015-12-16 15:04 ` Christoph Anton Mitterer
2015-12-17 3:25 ` Duncan
2015-12-18 0:56 ` Christoph Anton Mitterer
2015-12-22 2:13 ` Kai Krakow
2015-12-16 12:03 ` Christoph Anton Mitterer
2015-12-17 2:43 ` Duncan
2015-12-15 0:08 ` Christoph Anton Mitterer
2015-12-15 14:19 ` Austin S. Hemmelgarn
2015-12-16 12:56 ` Christoph Anton Mitterer
2015-12-14 20:55 ` Chris Murphy
2015-12-15 0:22 ` Christoph Anton Mitterer
2015-12-11 23:14 ` Eric Sandeen
2015-12-11 22:06 ` Christoph Anton Mitterer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1450139700.701.50.camel@scientia.net \
--to=calestyo@scientia.net \
--cc=ahferroin7@gmail.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=lists@colorremedies.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.