Re: [BUG] ext4: BUG_ON in ext4_write_inline_data (fs/ext4/inline.c:240)

[Demi Marie Obenour <demiobenour@gmail.com>]

[-- Attachment #1.1.1: Type: text/plain, Size: 4642 bytes --]

On 4/29/26 00:40, Theodore Tso wrote:
> On Tue, Apr 28, 2026 at 04:50:14PM -0400, Demi Marie Obenour wrote:
>> This is an example of a BadUSB attack, which has been known since
>> at least 2014.  USB sticks *do* have their own microcontrollers to
>> run their firmware.  At least in the past this firmware has been
>> programmable and not been digitally signed.  This means that the USB
>> stick *can* be reprogrammed to perform a TOCTOU attack on a filesystem,
>> or indeed to implement a completely different kind of USB device.
> 
> Honestly, if that's what you are worried about, then best solution is
> put epoxy in every single USB port.  I've since financial institutions
> that have done precisely this, and both Android and Chrome OS supports
> enterprise security policies which does the equivalent in software.

That works well in enterprises using laptops, tablets, or mobile
devices.  Enterprises can require that all devices have built-in,
non-USB input devices or touchscreens.  Furthermore, corporate
environments use network-based backup and file sharing.  So there
is hardly a need for USB except for security tokens, smart card
readers, OS installation media, and miscellaneous hardware devices
that generally will not be hotplugged.  Only the third is a block
device, it is trusted, and it can be a USB stick with a physical
write-protect switch and signed firmware.

>> Protecting against replay attacks requires a Merkle tree.  The only
>> Linux filesystems that I know have one are ZFS, bcachefs, and BTRFS.
>> The first two are out of tree and the third is not shipped in RHEL
>> at least.
> 
> FYI, there was a patch for btrfs, but it was never landed.  It's
> unclear how many people would be willing to pay the performance tax of
> using hmac-sha256 for every single data and metadata block write.   

I thought BTRFS already had one.  In any case corrupting an encrypted
disk will cause a checksum failure with fairly high probability,
as a 128-bit region is completely scrambled.

>> Of course, you are free to choose which (if any) of these attacks you
>> care about.  One can that USB sticks should be mounted in userspace,
>> UEFI secure boot with Microsoft keys is irrelevant as long as
>> administrator -> kernel isn't a security boundary on Windows, and that
>> confidential computing only makes sense for stateless workloads (which
>> can use dm-verity) until there is a way to trust storage devices.
>> But it's always best to be aware that an attack vector exists,
>> whether or not one chooses to address it.
> 
> Sure, but a drive-by comment on a patch review advocating that we slow
> down ext4 to protect a single instance where the attacker has
> read/write access to a mounted block device, when the file system
> doesn't have generalized protections against that whole class of
> attacks.... isn't particularly helpful.

My main goal is to point out that the attack vector does exist.
If nothing else, hopefully this will persuade distro maintainers
to switch to using libguestfs + FUSE as the default way to mount
USB drives.  That isolates the driver in a VM.

Qubes OS users can already mount the device in a disposable VM,
and presumably many of them already do that.  Again, this provides
strong isolation and severely limits the impact of an exploit.

I do wonder if this could be used against confidential computing
workloads.  That said, work there would more likely be put into
allowing them to attest their storage.

> By the way, I'm not aware of *any* company that has been interested in
> funding work to protect against this class of attacks.  Given that
> most file system developers prefer food with their meals, and have
> enough *other* unfunded mandates from our user community, it doesn't
> seem likely that we're going to see much forward progress towards your
> desires/interests.
I'm not surprised at all.

The people who would benefit the most from this work are consumers
who are running desktop Linux on general purpose computers they own.
I have spent most of my career providing secure solutions for these
people.  I worked on Qubes OS for several years, and I now work
on Spectrum.

Unfortunately, this group has very little budget and so very little
market power.  Therefore, work that benefits them is perpetually
and massively underfunded.  Grants do exist, and crowdfunding might
also be an option.  However, unless one is very passionate about the
client space, it is hard to resist much better-paying jobs in the
server world.
-- 
Sincerely,
Demi Marie Obenour (she/her/hers)

[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 7253 bytes --]

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]