From: "Austin S. Hemmelgarn" <ahferroin7@gmail.com>
To: dsterba@suse.cz, Graham Cobb <g.btrfs@cobb.uk.net>,
linux-btrfs@vger.kernel.org
Subject: Re: Security implications of btrfs receive?
Date: Fri, 9 Sep 2016 12:58:35 -0400 [thread overview]
Message-ID: <75086f33-fb47-a6ce-213e-cf423fa3dcea@gmail.com> (raw)
In-Reply-To: <20160909161843.GY16983@twin.jikos.cz>
On 2016-09-09 12:18, David Sterba wrote:
> On Wed, Sep 07, 2016 at 07:58:30AM -0400, Austin S. Hemmelgarn wrote:
>> On 2016-09-06 13:20, Graham Cobb wrote:
>>> Thanks to Austin and Duncan for their replies.
>>>
>>> On 06/09/16 13:15, Austin S. Hemmelgarn wrote:
>>>> On 2016-09-05 05:59, Graham Cobb wrote:
>>>>> Does the "path" argument of btrfs-receive mean that *all* operations are
>>>>> confined to that path? For example, if a UUID or transid is sent which
>>>>> refers to an entity outside the path will that other entity be affected
>>>>> or used?
>>>> As far as I know, no, it won't be affected.
>>>>> Is it possible for a file to be created containing shared
>>>>> extents from outside the path?
>>>> As far as I know, the only way for this to happen is if you're
>>>> referencing a parent subvolume for a relative send that is itself
>>>> sharing extents outside of the path. From a practical perspective,
>>>> unless you're doing deduplication on the receiving end, the this
>>>> shouldn't be possible.
>>>
>>> Unfortunately that is not the case. I decided to do some tests to see
>>> what happens. It is possible for a receive into one path to reference
>>> and access a subvolume from a different path on the same btrfs disk. I
>>> have created a bash script to demonstrate this at:
>>>
>>> https://gist.github.com/GrahamCobb/c7964138057e4e092a75319c9fb240a3
>>>
>>> This does require the attacker to know the (source) subvolume UUID they
>>> want to copy. I am not sure how hard UUIDs are to guess.
>> Oh, I forgot about the fact that it checks the whole filesystem for
>> referenced source subvolumes.
>
> What if the stream is verified first? Ie. look if there are the
> operations using subolumes not owned by the user.
>
I think that extending the ioctl to require proof of access to the
source being cloned from would be a better approach to this, as this is
an issue with the ioctl in general, it's just discussion of send/receive
that brought this up. I'm actually kind of surprised that this didn't
get noticed before, seeing as it's a pretty significant and not all that
difficult to use information leak. Ideally, this needs to be decided
before the VFS layer clone ioctl gets finalized.
next prev parent reply other threads:[~2016-09-09 16:58 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-05 9:59 Security implications of btrfs receive? Graham Cobb
2016-09-05 14:33 ` Duncan
2016-09-06 12:15 ` Austin S. Hemmelgarn
2016-09-06 17:20 ` Graham Cobb
2016-09-07 11:58 ` Austin S. Hemmelgarn
2016-09-07 14:44 ` Christoph Anton Mitterer
2016-09-07 14:55 ` Austin S. Hemmelgarn
2016-09-07 15:20 ` Austin S. Hemmelgarn
2016-09-07 16:10 ` Graham Cobb
2016-09-07 17:33 ` Austin S. Hemmelgarn
2016-09-09 16:18 ` David Sterba
2016-09-09 16:58 ` Austin S. Hemmelgarn [this message]
2016-09-07 14:41 ` Christoph Anton Mitterer
2016-09-07 15:06 ` Austin S. Hemmelgarn
2016-09-07 16:27 ` Graham Cobb
2016-09-07 18:07 ` Christoph Anton Mitterer
2016-09-07 19:08 ` Austin S. Hemmelgarn
2016-09-07 19:34 ` Chris Murphy
2016-09-08 11:48 ` Austin S. Hemmelgarn
2016-09-09 18:58 ` Chris Murphy
2016-09-10 19:27 ` Chris Murphy
2016-09-12 11:24 ` Austin S. Hemmelgarn
2016-09-12 20:25 ` Chris Murphy
2016-09-13 11:46 ` Austin S. Hemmelgarn
2016-09-09 16:33 ` David Sterba
2016-09-09 17:21 ` Austin S. Hemmelgarn
2016-09-07 20:29 ` Zygo Blaxell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75086f33-fb47-a6ce-213e-cf423fa3dcea@gmail.com \
--to=ahferroin7@gmail.com \
--cc=dsterba@suse.cz \
--cc=g.btrfs@cobb.uk.net \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).