From: Dave Chinner <david@fromorbit.com>
To: Kees Cook <keescook@google.com>
Cc: Dwight Engen <dwight.engen@oracle.com>,
LKML <linux-kernel@vger.kernel.org>,
Brian Foster <bfoster@redhat.com>,
Dave Chinner <dchinner@redhat.com>,
Gao feng <gaofeng@cn.fujitsu.com>, Ben Myers <bpm@sgi.com>,
Greg KH <gregkh@linuxfoundation.org>,
xfs@oss.sgi.com
Subject: Re: XFS security fix never sent to -stable?
Date: Tue, 10 Dec 2013 10:30:02 +1100 [thread overview]
Message-ID: <20131209233002.GV31386@dastard> (raw)
In-Reply-To: <CAGXu5jLKkgYg5UWJc8xBGN5NgDh68Q3YRxO--zmDL86BWPH78A@mail.gmail.com>
[CC the xfs list. Kees - I shouldn't have to remind you to do this. ]
On Thu, Dec 05, 2013 at 04:35:50PM -0800, Kees Cook wrote:
> Hi,
>
> It looks like 8c567a7fab6e086a0284eee2db82348521e7120c ("xfs: add
> capability check to free eofblocks ioctl") is a security fix that was
> never sent to -stable? From what I can see, it was introduced in 3.8
> by 8ca149de80478441352a8622ea15fae7de703ced ("xfs: add
> XFS_IOC_FREE_EOFBLOCKS ioctl").
>
> I don't see this in the 3.8.y tree. Should it be added there and newer?
Well, it's not really a security problem at all, given that it only
affects speculative preallocation beyond EOF. i.e. it affects
filesystem metadata that does not yet index any user data.
Indeed, the kernel already does exactly what this ioctl does every 5
minutes without user intervention. i.e. it's simply a maintenance
task we need to execute periodically or on demand as a result of
other events (e.g. from a userspace daemon that is listen to quota
exhaustion messages).
So apart from allowing a user to burn some CPU with the ioctl doing
nothing but scanning, there's little in way of a security problem
being exposed on kernels prior to 3.12 here.
The reason for the cap check? Turning off this ioctl in containers
restricted by user name spaces. i.e. new functionality added to XFS
in 3.12 introduced curiously vague and difficult to explain new
inode access restrictions, so we took the "be safe by default" route
and only allowed the init namespace access to the ioctl....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2013-12-09 23:30 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-12-06 0:35 XFS security fix never sent to -stable? Kees Cook
2013-12-06 14:43 ` Dwight Engen
2013-12-06 15:06 ` Brian Foster
2013-12-09 12:15 ` Luis Henriques
2013-12-09 13:17 ` Josh Boyer
2013-12-09 23:55 ` Dave Chinner
2013-12-10 7:56 ` Greg KH
2013-12-10 13:15 ` Josh Boyer
2013-12-10 14:31 ` Eric Sandeen
2013-12-10 15:57 ` Ben Myers
2013-12-17 13:58 ` Luis Henriques
2013-12-10 13:20 ` Josh Boyer
2013-12-11 1:03 ` Dave Chinner
2013-12-11 1:10 ` Josh Boyer
2013-12-11 2:00 ` Dave Chinner
2013-12-11 2:12 ` Greg KH
2013-12-11 2:45 ` Kees Cook
2013-12-11 4:17 ` Dave Chinner
2013-12-11 8:27 ` Dan Carpenter
2013-12-09 23:30 ` Dave Chinner [this message]
2013-12-11 2:36 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131209233002.GV31386@dastard \
--to=david@fromorbit.com \
--cc=bfoster@redhat.com \
--cc=bpm@sgi.com \
--cc=dchinner@redhat.com \
--cc=dwight.engen@oracle.com \
--cc=gaofeng@cn.fujitsu.com \
--cc=gregkh@linuxfoundation.org \
--cc=keescook@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox