From: "Theodore Ts'o" <tytso@mit.edu>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Gabriel Krisman Bertazi <krisman@suse.de>,
viro@zeniv.linux.org.uk, brauner@kernel.org, jaegeuk@kernel.org,
linux-fsdevel@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net
Subject: Re: [PATCH v5 01/10] fs: Expose helper to check if a directory needs casefolding
Date: Sat, 12 Aug 2023 19:06:47 -0400 [thread overview]
Message-ID: <20230812230647.GB2247938@mit.edu> (raw)
In-Reply-To: <20230812015915.GA971@sol.localdomain>
On Fri, Aug 11, 2023 at 06:59:15PM -0700, Eric Biggers wrote:
>
> To be honest I've always been confused about why the ->s_encoding check is
> there. It looks like Ted added it in 6456ca6520ab ("ext4: fix kernel oops
> caused by spurious casefold flag") to address a fuzzing report for a filesystem
> that had a casefolded directory but didn't have the casefold feature flag set.
> It seems like an unnecessarily complex fix, though. The filesystem should just
> reject the inode earlier, in __ext4_iget(). And likewise for f2fs. Then no
> other code has to worry about this problem.
It's not enough to check it in ext4_iget, since the casefold flag can
get set *after* the inode has been fetched, but before you try to use
it. This can happen because syzbot has opened the block device for
writing, and edits the superblock while it is mounted.
One could say that this is an insane threat model, but the syzbot team
thinks that this can be used to break out of a kernel lockdown after a
UEFI secure boot. Which is fine, except I don't think I've been able
to get any company (including Google) to pay for headcount to fix
problems like this, and the unremitting stream of these sorts of
syzbot reports have already caused one major file system developer to
burn out and step down.
So problems like this get fixed on my own time, and when I have some
free time. And if we "simplify" the code, it will inevitably cause
more syzbot reports, which I will then have to ignore, and the syzbot
team will write more "kernel security disaster" slide deck
presentations to senior VP's, although I'll note this has never
resulted in my getting any additional SWE's to help me fix the
problem...
> So just __ext4_iget() needs to be fixed. I think we should consider doing that
> before further entrenching all the extra ->s_encoding checks.
If we can get an upstream kernel consensus that syzbot reports caused
by writing to a mounted file system aren't important, and we can
publish this somewhere where hopefully the syzbot team will pay
attention to it, sure...
- Ted
next prev parent reply other threads:[~2023-08-12 23:09 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-12 0:41 [PATCH v5 00/10] Support negative dentries on case-insensitive ext4 and f2fs Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 01/10] fs: Expose helper to check if a directory needs casefolding Gabriel Krisman Bertazi
2023-08-12 1:59 ` Eric Biggers
2023-08-12 23:06 ` Theodore Ts'o [this message]
2023-08-13 0:12 ` Eric Biggers
2023-08-13 3:08 ` Matthew Wilcox
2023-08-13 4:30 ` Eric Biggers
2023-08-14 11:38 ` Theodore Ts'o
2023-08-14 17:22 ` Eric Biggers
2023-08-15 3:59 ` Theodore Ts'o
2023-08-14 15:02 ` Gabriel Krisman Bertazi
2023-08-14 19:14 ` Eric Biggers
2023-08-14 19:26 ` Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 02/10] ecryptfs: Reject casefold directory inodes Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 03/10] 9p: Split ->weak_revalidate from ->revalidate Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 04/10] fs: Expose name under lookup to d_revalidate hooks Gabriel Krisman Bertazi
2023-08-12 2:15 ` Eric Biggers
2023-08-17 7:00 ` kernel test robot
2023-08-17 9:12 ` kernel test robot
2023-08-12 0:41 ` [PATCH v5 05/10] fs: Add DCACHE_CASEFOLDED_NAME flag Gabriel Krisman Bertazi
2023-08-12 2:17 ` Eric Biggers
2023-08-14 15:03 ` Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 06/10] libfs: Validate negative dentries in case-insensitive directories Gabriel Krisman Bertazi
2023-08-12 2:41 ` Eric Biggers
2023-08-14 14:50 ` Gabriel Krisman Bertazi
2023-08-14 18:42 ` Eric Biggers
2023-08-14 19:21 ` Gabriel Krisman Bertazi
2023-08-14 19:26 ` Eric Biggers
2023-08-12 0:41 ` [PATCH v5 07/10] libfs: Chain encryption checks after case-insensitive revalidation Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 08/10] libfs: Merge encrypted_ci_dentry_ops and ci_dentry_ops Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 09/10] ext4: Enable negative dentries on case-insensitive lookup Gabriel Krisman Bertazi
2023-08-12 0:41 ` [PATCH v5 10/10] f2fs: " Gabriel Krisman Bertazi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230812230647.GB2247938@mit.edu \
--to=tytso@mit.edu \
--cc=brauner@kernel.org \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=krisman@suse.de \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox