From: bugzilla-daemon@bugzilla.kernel.org
To: linux-ext4@vger.kernel.org
Subject: [Bug 214665] New: security bug:using "truncate" bypass disk quotas limit
Date: Sat, 09 Oct 2021 10:23:45 +0000 [thread overview]
Message-ID: <bug-214665-13602@https.bugzilla.kernel.org/> (raw)
https://bugzilla.kernel.org/show_bug.cgi?id=214665
Bug ID: 214665
Summary: security bug:using "truncate" bypass disk quotas limit
Product: File System
Version: 2.5
Kernel Version: 3.10.0-1160.36.2.el7.x86_64
Hardware: All
OS: Linux
Tree: Mainline
Status: NEW
Severity: normal
Priority: P1
Component: ext4
Assignee: fs_ext4@kernel-bugs.osdl.org
Reporter: 1157599735@qq.com
Regression: No
* Overview
system user can bypass "disk quota limit" using "truncate -s 10T id" command
(that can create a file whose size is 10T).
* Steps to Reproduce
1. create a user and setup a disk quota for this user
create user "test"
```
useradd test
```
create filesystem
```
[root@vm10-50-0-18 ~]# dd if=/dev/zero of=ext4 bs=1G count=1
[root@vm10-50-0-18 ~]# mkfs.ext4 ext4
[root@vm10-50-0-18 ~]# mkdir -p /tmp/test && chmod -R 777 /tmp/test &&
mount -o usrquota,grpquota ext4 /tmp/test
```
setup disk quota
```
[root@vm10-50-0-18 ~]# quotacheck -u /tmp/test/ # create
"aquota.user" file
[root@vm10-50-0-18 ~]# edquota -u test
[root@vm10-50-0-18 ~]# quotaon /tmp/test/ -u # open quota service
```
the quota setting is like below: user "test" can not use disk space which
size exceed 10K.
```
Disk quotas for user test (uid 1000):
Filesystem blocks soft hard inodes
soft hard
/dev/loop0 0 10 10 0
0 0
```
2. verify the quota limit using "dd"
```
[root@vm10-50-0-18 ~]# su - test
上一次登录:六 10月 9 18:14:31 CST 2021pts/1 上
[test@vm10-50-0-18 ~]$ dd if=/dev/zero of=/tmp/test/id bs=20K count=1
loop0: write failed, user block limit reached. # yes,this limit
is as expected
dd: error writing ‘/tmp/test/id’: Disk quota exceeded
1+0 records in
0+0 records out
8192 bytes (8.2 kB) copied, 0.000221445 s, 37.0 MB/s
```
this result is as expected: "test" user can not write file whose size is
more than 10K.
3. verify the quota limit using "truncate"
```
[test@vm10-50-0-18 test]$ truncate -s 10T id
[test@vm10-50-0-18 test]$ ll -h id
-rw-rw-r-- 1 test test 10T Oct 9 17:16 id
```
actual results is: "test" user can create file whose size is 10T, larger
more than 10K
expected result is: like "dd result" above, "test" user can not write file
whose size is more than 10K.
--
You may reply to this email to add a comment.
You are receiving this mail because:
You are watching the assignee of the bug.
next reply other threads:[~2021-10-09 10:23 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-09 10:23 bugzilla-daemon [this message]
2021-10-10 0:20 ` [Bug 214665] security bug:using "truncate" bypass disk quotas limit bugzilla-daemon
2021-10-11 6:24 ` bugzilla-daemon
2021-10-11 14:24 ` bugzilla-daemon
2021-10-11 14:43 ` bugzilla-daemon
2021-10-11 14:47 ` bugzilla-daemon
2021-10-11 17:05 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-214665-13602@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-ext4@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).