Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp1448472imm; Wed, 23 May 2018 16:42:38 -0700 (PDT) X-Google-Smtp-Source: AB8JxZpkTJD4EElbzj+b9jHotHao8+kLpLcWpfM6XkfSV5yAL7JYoGnxbVI1bZGIyetIH0F1B8HK X-Received: by 2002:a62:6105:: with SMTP id v5-v6mr4756885pfb.197.1527118958520; Wed, 23 May 2018 16:42:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527118958; cv=none; d=google.com; s=arc-20160816; b=REK2/b1z6U5+jxdWUAk9h2orCocIEfjti/G0UcCXqelI4fH0h5Mu683a6TEvuOVuD9 mLJkjwjx81j7HWcFHSzxbuvpWAR8yQWLCrZIHokIICT0WOtB+PyZDb8CGAdXl3/GxlyR U8Vrhf0HUADFXUPZceCFArLlH3S0CaTsYxtWqef+DikyNXNQ+OE1JGPVhkMgQNLwcCv3 7AbTLEDWqIGMYntPvj1qAcwzYtnNVu6AyeLHKcVRNpSzi3pILYGuLf3cD6g4JVnIyZ6P lujdPrULTvJX8a1Ts3eIsY+fQsTx6/ODy8tsMfIk78COzvt5pR8RvBTO46E8mrF02Wt8 5o5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=PybUzVYH+YiP5MQMLai8mrmadWVKDAz77PxT2oNch7M=; b=GrRbTcN1BozJsVHVKejqAvfFBp0v85VSAOWHnyvdFdhEON0HHqqY1V2oWiMJRKGt/v flTnvgEMOb7CYgSeljNo72xw7XQTXXscq5N5eUTx53Y6GWcpLnbF5j4ebjpi3ZGNnIqA TltioIO/AF60ZZxJb458xwXOPl7L5xzc436ySSshgle0th7JnWivgBZcuFW4CGvb7dQD DKC3UxW95nlAaMR3MowTDHfbw0Rk2xDK2t+LCvOSa5beRosy93lXX115b3Z06VRytwrJ Ix6bzO8/cw2fO8dE0dKKzmEZX6XUi7cJJbXHVaSU1EztQlmDeSiyiB2iEaHQ6WU+6OJ0 IX5Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=hU7JuO6y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v23-v6si20605315pfl.233.2018.05.23.16.42.23; Wed, 23 May 2018 16:42:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@thunk.org header.s=ef5046eb header.b=hU7JuO6y; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935141AbeEWXlX (ORCPT + 99 others); Wed, 23 May 2018 19:41:23 -0400 Received: from imap.thunk.org ([74.207.234.97]:46962 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935015AbeEWXlV (ORCPT ); Wed, 23 May 2018 19:41:21 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=thunk.org; s=ef5046eb; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID: Subject:Cc:To:From:Date:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=PybUzVYH+YiP5MQMLai8mrmadWVKDAz77PxT2oNch7M=; b=hU7JuO6yR2NpgS8PLJgPbbv7ZJ q3RKFqkfe3D9YPICwpunAYiZdDp6et0BpnlA0yOvrK+m//bHJwQCZLJQQKxFdHV3FEmlSPILRgTsU dG1aCzW1uPD1ByJPRRoFtq360yT4qMhrJSiCF1rmHgkBjLdJ4Janb4b6J3bZlltAHp6g=; Received: from root (helo=callcc.thunk.org) by imap.thunk.org with local-esmtp (Exim 4.89) (envelope-from ) id 1fLdNc-0005VP-C8; Wed, 23 May 2018 23:41:16 +0000 Received: by callcc.thunk.org (Postfix, from userid 15806) id 135597A3EB3; Wed, 23 May 2018 19:41:15 -0400 (EDT) Date: Wed, 23 May 2018 19:41:15 -0400 From: "Theodore Y. Ts'o" To: Eric Sandeen Cc: Eric Biggers , "Darrick J. Wong" , Dave Chinner , Brian Foster , linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Bugs involving maliciously crafted file system Message-ID: <20180523234114.GA3434@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Eric Sandeen , Eric Biggers , "Darrick J. Wong" , Dave Chinner , Brian Foster , linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <000000000000457b2d056cbb0044@google.com> <20180522123107.GC3751@bfoster.bfoster> <20180522222620.GW23861@dastard> <20180522225208.GB658@sol.localdomain> <20180523074425.GM14384@magnolia> <20180523162015.GA3684@sol.localdomain> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.5 (2018-04-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 23, 2018 at 01:01:59PM -0500, Eric Sandeen wrote: > > What I'm personally hung up on are the bugs where the "exploit" involves merely > mounting a crafted filesystem that in reality would never (until the heat death > of the universe) corrupt itself into that state on its own; it's the "malicious > image" case, which is quite different than exposing fundamental bugs like the > SB_BORN race or or the user-exploitable ext4 flaw you mentioned in your reply. > Those are more insidious and/or things which can be hit by real users in real life. Well, it *can* be hit in real life. If you have a system which auto mounts USB sticks, then an attacker might be able to weaponize that bug by creating a USB stick where mounted and the user opens a particular file, the buffer overrun causes code to be executed that grabs the user's credentials (e.g., ssh-agent keys, OATH creds, etc.) and exfiltrates them to a collection server. Fedora and Chrome OS might be two such platforms where someone could very easily create a weaponized exploit tool where you could insert a file system buffer overrun bug, and "hey presto!" it becomes a serious zero day vulnerability. (I recently suggested to a security researcher who was concerned that file system developers weren't taking these sorts of things seriously enough could do a service to the community by creating a demonstration about how these sorts of bugs can be weaponized. And I suspect it could be about just as easily on Chrome OS as Fedora, and that can be one way that an argument could be made to management that more resources should be applied to this problem. :-) Of course, not all bugs triggered by a maliciously crafted file system are equally weaponizable. An errors=panic or a NULL derefrence are probably not easily exploitable at all. A buffer overrun (and I fixed two in ext4 in the last two days while being stuck in a T13 standards meeting, so I do feel your pain) might be a very different story. Solutions --------- One of the things I've wanted to get help from the syzbot folks is if there was some kind of machine learning or expert system evaluation that could be done so malicious image bugs could be binned into different categories, based on how easily they can be weaponized. That way, when there is a resource shortage situation, humans can be more easily guided into detremining which bugs should be prioritized and given attention, and which we can defer to when we have more time. Or maybe it would be useful if there was a way where maintainers could be able to annotate bugs with priority and severity levels, and maybe make comments that can be viewed from the Syzbot dashboard UI. The other thing that perhaps could be done is to set up a system where the USB stick is automounted in a guest VM (using libvirt in Fedora, and perhaps Crostini for Chrome OS), and the contents of the file system would then get exported from the guest OS to the host OS using either NFS or 9P. (9P2000.u is the solution that was used in gVisor[1].) [1] https://github.com/google/gvisor It could be that putting this kind of security layer in front to automounted USB sticks is less work than playing whack-a-mole fixing a lot of security bugs with maliciously crafted file systems. - Ted