From: David Howells <dhowells@redhat.com>
To: "Theodore Y. Ts'o" <tytso@mit.edu>,
Jaegeuk Kim <jaegeuk@kernel.org>,
Eric Biggers <ebiggers@kernel.org>
Cc: dhowells@redhat.com, jlayton@kernel.org,
linux-fscrypt@vger.kernel.org, linux-fsdevel@vger.kernel.org
Subject: fscrypt and potential issues from file sparseness
Date: Wed, 26 Jan 2022 12:44:14 +0000 [thread overview]
Message-ID: <124549.1643201054@warthog.procyon.org.uk> (raw)
Hi,
I'm looking at doing content encryption in the network filesystem support
library. It occurs to me that if the filesystem can record sparsity in the
file, then a couple of issues may arise if we wish to use that to record
zeroed source blocks (ie. the unencrypted blocks). It further occurs to me
that this may occur in extent-based filesystems such as ext4 that support
fscrypt and also do extent optimisation.
The issues are:
(1) Recording source blocks that are all zeroes by not storing them and
leaving a hole in a content is a minor security hole as someone looking
at the file can derive information about the contents from that. This
probably wouldn't affect most files, but it might affect database files.
(2) If the filesystem stores a hole for a *source* block of zeroes (not an
encrypted block), then it has the same problems as cachefiles:
(a) A block of zeroes written to disk (ie. an actually encrypted block)
is very, very unlikely to represent a source block of zeroes, but the
optimiser can punch it out to reduce an extent and recover disk space,
thereby leaving a hole.
(b) The optimiser could also *insert* blocks of zeroes to bridge an
extent, thereby erasing a hole - but the zeroes would be very unlikely to
decrypt back to a source block of zeroes.
If either event occurs, data corruption will ensue.
To evade this one, we have to do one of the following:
1. Don't use sparsity to record source blocks of zeroes
2. Disable extent optimisations of these sorts
3. Keep a separate map of the content
Now, I don't know if fscrypt does this. It's hard to tell.
David
next reply other threads:[~2022-01-26 12:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-26 12:44 David Howells [this message]
2022-01-26 18:52 ` fscrypt and potential issues from file sparseness Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=124549.1643201054@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=ebiggers@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=jlayton@kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox