From: "Theodore Ts'o" <tytso@mit.edu>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: Greg KH <gregkh@linuxfoundation.org>,
cve@kernel.org, linux-cve-announce@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: REJECTED: CVE-2025-0927: heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem
Date: Tue, 13 May 2025 08:05:49 -0400 [thread overview]
Message-ID: <20250513120549.GA9943@mit.edu> (raw)
In-Reply-To: <CACT4Y+as-Uy_BUjLDxfNwC2+78U3kJdaaKL=vbUNMZH9VcLiGQ@mail.gmail.com>
On Tue, May 13, 2025 at 09:09:34AM +0200, Dmitry Vyukov wrote:
> I just hoped for something at least somewhat stronger. Bugs flagged by
> fsck won't require fixing in that model.
Well, if you have the budget and the headcount to back up that hope,
you know where to reach me. Personally, I've hoped to win the lottery
and own a private jet, but given that I'm not willing to pay the $$$
for the private jet --- I fly economy.
Consider carabiners. I have one that I use for fastening my keys to
my belt loop or knapsack. But there are also carabiners that are
certified for climbing. If you try to use the former for climbing, it
wouldn't be safe. But the climbing carabiner is a lot more expensive
and a lot heavier.
As far as file systems are concerned, a hardened file system will be
more expensive, and will have less performance. But if you are using
file systems in a data center, where the hard drive is in within the
Trusted Computing Base, paying the costs for a hardened file system is
silly. And in fact, companies are not silly; I have yet to work for a
company, including my current employer, which has been willing to
invest in a hardened file system.
Now, the good news is that there are ways we can use a non-hardened
file system in a safe way. You just to have the system enforce the
constraint that the file system must be fsck'ed before mounting the
file system.
If you want to be even more paranoid (or the proprietary file system
doesn't have a good fsck), you could mount the file system via a guest
kernel running in a VM, where the VM is locked down using a seccomp
sandbox, and which provides file system services via 9pfs to the host
kernel. 9pfs is a remote file system which is easy to audit, and this
is a key part of the security strategy used by gVisor.
See? Easy peasy! And far cheaper than attempting to harden a file
system.
- Ted
P.S. If some company wants the equivalent of a titanium carabiner,
where we invest a huge amount of SWE effort in making a hardened file
system which is as performant as possible, I'm certainly willing to
work with such a team. I haven't yet seen the business case where the
ROI makes sense, but perhaps some company has a unique situation where
such an investment makes sense.
next prev parent reply other threads:[~2025-05-13 12:06 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-30 18:55 CVE-2025-0927: heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem Greg Kroah-Hartman
2025-04-02 6:51 ` [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema Siddh Raman Pant
2025-04-02 6:51 ` [PATCH 2/2] published: CVE-2025-0927: Rearrange fields in JSON Siddh Raman Pant
2025-04-02 7:06 ` Greg Kroah-Hartman
2025-04-02 7:06 ` [PATCH 1/2] published: CVE-2025-0927: Fix up JSON schema Greg Kroah-Hartman
2025-04-02 7:16 ` Siddh Raman Pant
2025-04-02 7:41 ` gregkh
2025-04-02 7:07 ` Greg Kroah-Hartman
2025-04-08 8:06 ` REJECTED: CVE-2025-0927: heap overflow in the hfs and hfsplus filesystems with manually crafted filesystem Greg Kroah-Hartman
2025-05-09 7:20 ` Dmitry Vyukov
2025-05-09 7:34 ` Greg KH
2025-05-09 7:47 ` Dmitry Vyukov
2025-05-09 7:55 ` Greg KH
2025-05-09 8:03 ` Dmitry Vyukov
2025-05-09 12:10 ` Theodore Ts'o
2025-05-09 13:18 ` Attila Szasz
2025-05-09 13:37 ` Greg KH
2025-05-09 14:17 ` Theodore Ts'o
2025-05-12 13:22 ` Dmitry Vyukov
2025-05-12 14:44 ` Theodore Ts'o
2025-05-12 17:17 ` Attila Szasz
2025-05-13 7:09 ` Dmitry Vyukov
2025-05-13 12:05 ` Theodore Ts'o [this message]
2025-05-13 16:09 ` Dmitry Vyukov
2025-05-13 21:43 ` Theodore Ts'o
2025-05-14 4:53 ` Dmitry Vyukov
2025-05-21 8:20 ` Dmitry Vyukov
2025-05-23 12:51 ` Greg KH
2025-05-09 14:05 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250513120549.GA9943@mit.edu \
--to=tytso@mit.edu \
--cc=cve@kernel.org \
--cc=dvyukov@google.com \
--cc=gregkh@linuxfoundation.org \
--cc=linux-cve-announce@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.