Re: [PATCH] ext4: remove some redundant corruption checks

["Theodore Ts'o" <tytso@mit.edu>]

On Thu, May 23, 2019 at 08:48:43PM +0800, Chengguang Xu wrote:
> Remove some redundant corruption checks in
> ext4_xattr_block_get() and ext4_xattr_ibody_get()
> because ext4_xattr_check_entries() has done those
> checks.
> 
> Signed-off-by: Chengguang Xu <cgxu519@zoho.com.cn>

I deliberately left in the redundant checks.

That's because we still have issues where a buffer can be verified for
some other block type (say, an allocation bitmap), but if that block
is also referenced as an xattr block, we could cause a kernel crash,
or worse, we might be end up corrupting kernel memory in some way that
would lead to a privilege escalation test.

I would actually prefer that we have enough tests ant the Time Of Use
that we wouldn't need to check the whole xattr block the first time we
read it into memory.  The way we are doing it today, we are very much
vulnerable to TOC/TOU bugs/vulnerabilities.

In the long run we should making the xattr code so careful and robust
that we wouldn't need to use the ext4_xattr_check_entries() except as
a backup safety.  (Today, we depend on it far too much, and there have
been multiple example of deliberately/malicious crafted file systems
which can bypass the checks in ext4_xattr_check_entries() check.  Just
scan fs/ext4/xattr.c for various CVE fixes....)  So if anything we
should be adding more checks to ext4_xattr_block_get(), et. al.

					- Ted