From: "Theodore Tso" <tytso@mit.edu>
To: Andreas Dilger <adilger@dilger.ca>
Cc: 4fqr <4fqr@proton.me>,
"linux-ext4@vger.kernel.org" <linux-ext4@vger.kernel.org>
Subject: Re: [SECURITY] e2fsprogs v1.47.4 Vulnerabilities — Orphan File & Extent Handling
Date: Fri, 3 Apr 2026 19:11:24 -0400 [thread overview]
Message-ID: <20260403231124.GE16311@macsyma-wired.lan> (raw)
In-Reply-To: <0778B5AC-16ED-4736-AE64-849541629466@dilger.ca>
On Fri, Apr 03, 2026 at 10:17:38AM -0600, Andreas Dilger wrote:
>
> I don't see how this exposes any kind of security vulnerability if it
> requires that the image be specially modified in the first place?
> At that point the "attacker" can directly modify the image in any way
> they want, regardless of how e2fsprogs behaves.
After taking a closer look the "vulnerabilities", I understand where
Andreas is coming from. If the threat model is "the attacker can
modify the file system, then the fact that you can craft the orphan to
"force" the the file system to release an inode isn't interesting ---
because the attacker could just simply overwrite the inode and mark
the blocks as not in use in the block allocation directly.
If there was a way an attempt to pass an inode number which is very
large to release_orphan_inode() could result in a buffer overrun, then
that might be interesting. But the oh, nooes! You might be able to
force the file system to release the resize inode is not interesting;
the attacker could just stomp on the resize inode directly.
Should we add some better bounds checking? Sure, so that we can give
a more user-friendly error message, and reduce the chance of
accidentally making things worse if the file system is corrupted by
chance and metadata checksum is not enabled. But is it a "security
vulnerability"? No.
No, if you could actually force a malicious payload to run due to a
stack overrun attack, that would be interesting. And I was expecting
to find *something* like that in your analysis, only to be
disappointed.
Cheers,
- Ted
prev parent reply other threads:[~2026-04-03 23:11 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-03 11:29 [SECURITY] e2fsprogs v1.47.4 Vulnerabilities — Orphan File & Extent Handling 4fqr
2026-04-03 13:48 ` Theodore Tso
2026-04-03 16:17 ` Andreas Dilger
2026-04-03 18:34 ` Theodore Tso
2026-04-03 23:11 ` Theodore Tso [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260403231124.GE16311@macsyma-wired.lan \
--to=tytso@mit.edu \
--cc=4fqr@proton.me \
--cc=adilger@dilger.ca \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox