Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp4046191imm; Mon, 11 Jun 2018 06:13:13 -0700 (PDT) X-Google-Smtp-Source: ADUXVKIyz9rynZUp9XblV7I/oFe8/j+nZRu1QHM2v5S7+mdHMTF/sUHlwqNSEMRzOC7NMhI4PTxh X-Received: by 2002:a62:8910:: with SMTP id v16-v6mr17212110pfd.13.1528722793720; Mon, 11 Jun 2018 06:13:13 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528722793; cv=none; d=google.com; s=arc-20160816; b=C6G2I7AXMGi8z702aAdohuGP3BCD1sWkB+sr7s59K35mwU/sv8r3r+FXk2LSCtW8r0 k9mK5v/yHWJBizr2QkBtkLdxWn/VhKk3Otmv80EVMV+BwPexI09FQkqzVkgSDNU+mnz4 zLw/QYWlBS+r5Gv/VfP9t4KnsnYTLpi1F2TuNJGhGTdXgarZ3stCuz/HOCO9ax35kQmX DQipjdEUixdPW7cQrp/vwOt++/iq3Z1OEZAAW3ywNfitNBn/wR61kaUOY9QaqVEM8tXP uzrJUycEHzDlXRO0Q0vzBwCTprGjJWy7Fd1fCoyEAnBqLVLy5uWi71nRbggW0GDIZCvu U09g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=W0bKoZMi58uP4zuHeTiqUFCNiNHeKT7m1sKnUo8qEBg=; b=xW3xb27rxh4OwH3y7Iq2/d6iwPwDSpNgWK+NODp3zJynP3LqY80m8tZ1+dhKXlOxAl nwThKlJ1K0wKAiP0aJ7qA6GOnzdsPy0hvGtsmVfN2SB7werBLNgD2VFS2LrEyFNURc+K zDPxrgGLrghBoz/pKZJHV2aK7rCQF6kE153xUKraChp45pU69IhaK11npKLEYhM8qhz/ iDR1uoEKw9zXcLihOOq/zu0RLcN//HpiQLxcxRmwEs0nyml6JzveX7U6jmpd0MVLlNpb 9c9KO8YYNS7fY49qpECKP/6LGBKZu9UeNVSffNazwGGmE14wW4FWiKW3caA55GEFd5cO Kc9w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VKm0/zhr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c83-v6si41676994pfl.319.2018.06.11.06.12.58; Mon, 11 Jun 2018 06:13:13 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=VKm0/zhr; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933249AbeFKNLk (ORCPT + 99 others); Mon, 11 Jun 2018 09:11:40 -0400 Received: from mail-pf0-f194.google.com ([209.85.192.194]:39361 "EHLO mail-pf0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933202AbeFKNLi (ORCPT ); Mon, 11 Jun 2018 09:11:38 -0400 Received: by mail-pf0-f194.google.com with SMTP id r11-v6so10220318pfl.6 for ; Mon, 11 Jun 2018 06:11:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=W0bKoZMi58uP4zuHeTiqUFCNiNHeKT7m1sKnUo8qEBg=; b=VKm0/zhr6dJHyvanFDJeFFXwVN62uMXqUpPoIy9c3HvJ91UVbq92CiIPYqKW2QIU51 vuhryvj9ROMsm4wrPRNWKjDvE0L92n45E+T74gweo+6iKlPTHJT70IxpiT8gMNF55A+A zkG9i9xXqyof/TyTCvqqUICpLgmdvhOrnzmjKdHPJ6uUq33yP+xd4J4sKDJzX2688a0I TTNAZM7KgzdjIjN7cNhZpJ7TjP/2RmZ+uGyc6S4wDnkCbJah3HjhDueV/dltze7U+23b KfA6r5NYUEBc6A5rZCPGkVG9NUnLdveSxAirDQ41socpYHTkNbBrqDtWZuWxxhMXDbIi 8ggA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=W0bKoZMi58uP4zuHeTiqUFCNiNHeKT7m1sKnUo8qEBg=; b=mKxUeZxqb070zBQkGqtpg6EioczohW6O41PDtbDu4ym++TYdeV+2LHlTU+lF3kXFrc BNcPaYN5dZ3SvauUzDjiugCo4xjB2kx9HmMO0K+eHQt8l53WJTkv+SYZCr5lRtrj2SAO HzsFCXAelDdNNDaaCRaSg2uCa7iDqGbMTBdR01cP7pMrkYONid0J/rL+uBj08woUYArJ yfnpTHfkSLz0BLsHHGNrbdYb5WcuRiTLHlttW4MpamjEBLXQBvbIW0HDsDc2C1mlY4er Z+CHo4hhMw5TbOGRexNXNcBHdgGLLvtadLF3IxZfF3GO6B7CF+/kAVdLh09ecfR/K9+v BXjA== X-Gm-Message-State: APt69E1NBhoTZOjrvU+Ne0DeraYdN1yHxb64zDBcNBpznbmEMUYmRpw3 UwsPsVdsisXNG6guw5r6P57I4ZMNr3sJDSlbb3o3ng== X-Received: by 2002:a63:721c:: with SMTP id n28-v6mr14673781pgc.96.1528722697855; Mon, 11 Jun 2018 06:11:37 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:de2:0:0:0:0 with HTTP; Mon, 11 Jun 2018 06:11:17 -0700 (PDT) In-Reply-To: References: <000000000000457b2d056cbb0044@google.com> <20180522123107.GC3751@bfoster.bfoster> <20180522222620.GW23861@dastard> <20180522225208.GB658@sol.localdomain> <20180523074425.GM14384@magnolia> <20180523162015.GA3684@sol.localdomain> <20180523234114.GA3434@thunk.org> <20180524004931.GB23861@dastard> From: Dmitry Vyukov Date: Mon, 11 Jun 2018 15:11:17 +0200 Message-ID: Subject: Re: Bugs involving maliciously crafted file system To: Matthew Garrett Cc: Dave Chinner , "Theodore Ts'o" , Eric Sandeen , Eric Biggers , "Darrick J. Wong" , Brian Foster , Linux Kernel Mailing List , linux-xfs , syzkaller-bugs Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 30, 2018 at 10:51 PM, 'Matthew Garrett' via syzkaller-bugs wrote: > On Wed, May 30, 2018 at 1:42 PM Dave Chinner wrote: >> We've learnt this lesson the hard way over and over again: don't >> parse untrusted input in privileged contexts. How many times do we >> have to make the same mistakes before people start to learn from >> them? > > You're not wrong, but we haven't considered root to be fundamentally > trustworthy for years - there are multiple kernel features that can be > configured such that root is no longer able to do certain things (the > one-way trap for requiring module signatures is the most obvious, but > IMA in appraisal mode will also restrict root), and as a result it's > not reasonable to be worried only about users - it's also necessary to > prevent root form being able to deliberately mount a filesystem that > results in arbitrary code execution in the kernel. FWIW, Android also does not consider root as trusted entity. It's limited by SELinux and maybe something else. Kernel becomes the main attack target on Android. Even if attackers get root, they still go for kernel execution or kernel data corruption to do anything harmful. And kernel is exploited with use-after-frees, out-of-bounds, double-frees, etc.