Re: [PATCH 9/9] xfs: repair obviously broken inode modes

["Darrick J. Wong" <djwong@kernel.org>]

On Wed, Dec 06, 2023 at 10:10:00PM -0800, Christoph Hellwig wrote:
> I really do not thing turning an unknown mode, which means potentially
> user controlled data in regular files or symlink bodies into file system
> metadata in directories is ever a good idea.  Quite contrary, I think
> it is a security risk waiting for exploits.  So for anything that takes
> an unknown inode and turns it into a directory or block/char special
> file: NAK.

I probably shouldn't have resent this as the COVID fever set in.
Granted, I predicted (mostly correctly) that I'd still be a bit messed
in the head five days later.

block/char/special files... I guess those can just turn into zero length
regular files.

Would this NAK remain even if there were external corroborating
evidence?

For example, what if we read the dirents out of the first directory
block, seek out parent pointers in the alleged children, and confirm a
1:1 match between the alleged dirents and pptrs?  Unprivileged userspace
can certain create a regular file N that looks like a dirent block, but
it cannot create dangling pptrs back to N to trick the verification
algorithm.

(Obviously any patch implementing this will come much later in the
series)

--D