Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4874916imm; Wed, 30 May 2018 13:54:03 -0700 (PDT) X-Google-Smtp-Source: ADUXVKK7Ggb3ti+C6dAYN6cLW+n9U3REopsw+6ZTqcWx9eG5Yzy7/iYghTqaOX2lz1+SNd+3sOUx X-Received: by 2002:a17:902:8303:: with SMTP id bd3-v6mr4212377plb.290.1527713643064; Wed, 30 May 2018 13:54:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527713643; cv=none; d=google.com; s=arc-20160816; b=wIbfNXF/b8uHLd9MwIxQyDlZNB7lQQCZt7Wu6YtAuaeSSjKkiDZ+cTbQ0tde2uRMea NxDKZ7nitM5SXbq0ZOAJirvX0tubiwJluPx9eRjedqg/bTZCXPwQPO2AZ3LVD2rdjKVJ AOUe6LFnAURBoSZru7XwMwUKCDjHr5iafLXkisEmr0tPcxKalxbZQtV83IcWXnY21xpu xERBavIze3JbPbyUowllFkPOe94frswSIX1duEtzA+DZoJGGy8asDA3hEuyIrek2CeA0 Oo6PfNH++6vf2vpPG4wL/Eb47YO9pKwbKrCKkXgf+W+Xoql4EOEK/pnnpu2LwGAn7ic7 +geA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=Lz0OmevV88Q5OEFvNpy+67zhxoVJCqgUP6U9p4XVGKA=; b=ubZJ/6ylL/fwzkbiRJqTD89GOi9B1Nyzi9BiplkZ/O1Z7lW+40zbrFxwe1bFhlfzpr /tm7g8mctx06mrv7yijiq7ye4aq29uHQIWHFQPGhxO599+F/7Skls5eJaNW1PyLANMdZ vS2OtqssD27o7B/knsrIJFlibOb6hgzi0u5tDAIaW/CXZvAFi81Cu0OvMq++gqrEQAtU bE0O1iffZ3NYmuKsmhchLFM5Mt8vyrmPtcjkg3RHDf5wrT2XqndRTpRBBhKUO3KF0nyy auLOohmfCqbORknGgxEp03gdaorOVlzC0PkeT979RgpDkGYYQxM/Q3ibtbtVtUeMW7e2 0TRw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bNZG948W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j10-v6si27997046pgq.249.2018.05.30.13.53.48; Wed, 30 May 2018 13:54:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=bNZG948W; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932398AbeE3Uv7 (ORCPT + 99 others); Wed, 30 May 2018 16:51:59 -0400 Received: from mail-io0-f179.google.com ([209.85.223.179]:39008 "EHLO mail-io0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932337AbeE3Uv4 (ORCPT ); Wed, 30 May 2018 16:51:56 -0400 Received: by mail-io0-f179.google.com with SMTP id 200-v6so22242134ioz.6 for ; Wed, 30 May 2018 13:51:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Lz0OmevV88Q5OEFvNpy+67zhxoVJCqgUP6U9p4XVGKA=; b=bNZG948Wlc229bUba2l3AumIu1fuNTwhOUbUXR6HQ9MqVsCzIyj1/eC4T6QA9OwH4M DZFCq4VTjm4tAvSbzz9LLE/k4pLYZ4OQYHFw6smnYZiZx8QOC0P3bvrN9PAb9/hweMhY H8cdl1OEcNuVaqOXex+VCwSN4YyDIfNjkDj0qOv2rKhai6++VQzc3ce+MY/naZvMzceC mP4UccmPpH2w4Hgz6Vk9U0+L7koRBSklCEvgYkhvjAYXVWOVm1U4rqyxXvg6XauNd0cB M/hKKzr1JgE6sxODPoLVp+3Ghuw5LKKIFIFUma1aBy+1guAOPbBS2FvfhwgN9n8qKtNB A71Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Lz0OmevV88Q5OEFvNpy+67zhxoVJCqgUP6U9p4XVGKA=; b=av94XPfKX/gJTNHolX3gDmLFZQDwHDhGnD1iPmB3TxMdPJMGIMRClKZsskkqAnqbtm /aXKocXTJGaYgRZEjwQ27rhM1kbLxI27AG6uQ7p/XKHgVE6l/j2c7Wq/xIEkmz7q5Jmi HWU7mgy4ZFSl+4pgnYjtQO/YDIQ89oLO8Rx18McDdtkFpQ7WYCFDkX7dqynirkKnV+Yl Sb1c9qv9z38nNInMZGGiavkbMwons1f2NGaqhEF9rpQGkKUTIv3ue0AuU5ZAB+aNdpVi JQ9v6DhMgb5ZDH3q6xw8D6ZJ2MExg+IrqSCjRq3KRNX6Kg8MSfgtlyux9ltCFbBOCv0I rXnQ== X-Gm-Message-State: ALKqPwebhf9gIrg7B0PgkvMdh0TBssmJ/1Pv/xojFaypT+QSbc1KVig3 QuwOBJWPOh0brzdFkLMuXs/RTatTKfYM61RP3qx3ng== X-Received: by 2002:a6b:5a0a:: with SMTP id o10-v6mr3799272iob.244.1527713515509; Wed, 30 May 2018 13:51:55 -0700 (PDT) MIME-Version: 1.0 References: <000000000000457b2d056cbb0044@google.com> <20180522123107.GC3751@bfoster.bfoster> <20180522222620.GW23861@dastard> <20180522225208.GB658@sol.localdomain> <20180523074425.GM14384@magnolia> <20180523162015.GA3684@sol.localdomain> <20180523234114.GA3434@thunk.org> <20180524004931.GB23861@dastard> In-Reply-To: <20180524004931.GB23861@dastard> From: Matthew Garrett Date: Wed, 30 May 2018 13:51:44 -0700 Message-ID: Subject: Re: Bugs involving maliciously crafted file system To: david@fromorbit.com Cc: "Theodore Ts'o" , sandeen@sandeen.net, ebiggers3@gmail.com, darrick.wong@oracle.com, bfoster@redhat.com, Linux Kernel Mailing List , linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 30, 2018 at 1:42 PM Dave Chinner wrote: > We've learnt this lesson the hard way over and over again: don't > parse untrusted input in privileged contexts. How many times do we > have to make the same mistakes before people start to learn from > them? You're not wrong, but we haven't considered root to be fundamentally trustworthy for years - there are multiple kernel features that can be configured such that root is no longer able to do certain things (the one-way trap for requiring module signatures is the most obvious, but IMA in appraisal mode will also restrict root), and as a result it's not reasonable to be worried only about users - it's also necessary to prevent root form being able to deliberately mount a filesystem that results in arbitrary code execution in the kernel.