Received: by 2002:a05:6a10:2785:0:0:0:0 with SMTP id ia5csp35565pxb; Tue, 12 Jan 2021 19:13:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJx72gqoJMPCDzo0iC5BSmAyuH75jLsgp2ev14xmX22EIe2kqQhtsr/qqxRwwlqlN+Ehbj9i X-Received: by 2002:aa7:da8f:: with SMTP id q15mr91129eds.239.1610507635523; Tue, 12 Jan 2021 19:13:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610507635; cv=none; d=google.com; s=arc-20160816; b=kA6ss/ffvRxvtz1hhNEjZzlWyIcGM5NfI7XySoREmT41eW4RoRIF756xXsz/kPeTOa jEiJMb36BShzW7CBwPQopP4JTx3D/u1N0tr1E0Ykp/K7OdGE91g22TXfnM1V8jCQF8RK Dv8WHq1LzeaXbwHqltH8GwHK4tMg6IIDCN4vQyCg4YASL5oedfPw0flKbUggz9etVhi6 UoXVmj+4VTpdV4YaeXoCuNL60OOYY7+Vtj0J4KfhZnwT2/8xyxzTsUDAPrJigPKtuVqz 3y97x57F3VUSvcwQ1jnSjUZbPMDQTa0JG8RmQXjT/zAuk8MdZz8MMJ+dh01uo1MnbqiA cgtQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=+hpa2cBKpaDZ/Dt0T9ynQhRAC/wJW02VkQtn8aiyHrQ=; b=xrhfp/1gG6ESom/++IxUbzrEGTBswlZFqJQ7nFbgzkUBi6alBy+EREuMLDjSHu8Hp6 pIKPUHnq/2SIivwZNV2doobdq7hci7s9If8y5iDMDsRa5IllBnJ2vvKmN4pxIFbHfqS7 PCnjKEBZr0tRZNANeMMwpVbmfs7k+qujOCKtpGNfrJAFwAs8aCr96Hz7/Ful85phoI86 0QnEAOIgtJAz0Hrt41GCWJEQg4+SA0TR5kdy+mYp6d8iCp0x0KE0upKa8ko0bYfmU+G1 VuZq0PxgPOX8ZSFlh10PA21laUdgX0h+qQv40pLsfidBhWUjC+4WA+GkwLEUgUn7tkGR v94Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r11si335369edt.118.2021.01.12.19.13.31; Tue, 12 Jan 2021 19:13:55 -0800 (PST) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729100AbhALW3i (ORCPT + 99 others); Tue, 12 Jan 2021 17:29:38 -0500 Received: from jabberwock.ucw.cz ([46.255.230.98]:33426 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2394599AbhALW3Y (ORCPT ); Tue, 12 Jan 2021 17:29:24 -0500 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id B5A061C0B8B; Tue, 12 Jan 2021 23:28:40 +0100 (CET) Date: Tue, 12 Jan 2021 23:28:40 +0100 From: Pavel Machek To: Theodore Ts'o Cc: Josh Triplett , "Darrick J. Wong" , Linus Torvalds , Andreas Dilger , Jan Kara , Linux Kernel Mailing List , linux-ext4@vger.kernel.org Subject: Re: Malicious fs images was Re: ext4 regression in v5.9-rc2 from e7bfb5c9bb3d on ro fs with overlapped bitmaps Message-ID: <20210112222840.GA28214@duo.ucw.cz> References: <20201006050306.GA8098@localhost> <20201006133533.GC5797@mit.edu> <20201007080304.GB1112@localhost> <20201007143211.GA235506@mit.edu> <20201007201424.GB15049@localhost> <20201008021017.GD235506@mit.edu> <20201008222259.GA45658@localhost> <20201009143732.GJ235506@mit.edu> <20210110184101.GA4625@amd> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="T4sUOijqQbZv57TR" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org --T4sUOijqQbZv57TR Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! > > People want to use USB sticks from time to time. And while I > > understand XFS is so complex it is unsuitable for such use, I'd still > > expect bugs to be fixed there. > >=20 > > I hope VFAT to be safe to mount, because that is very common on USB. > >=20 > > I also hope ext2/3/4 is safe in that regard. >=20 > Ext4 will fix file system fuzzing attack bugs on a best efforts basis. > That is, when I have time, I've been known to stay up late to bugs > reported by fuzzers. I hope ext4 is safe, but I'm not going to make > any guarantees that it is Bug-Free(tm). If you want to trust it in > that way, you do so at your risk. Good. > > Anyway it would be nice to have documentation explaining this. If I'm > > wrong about VFAT being safe, it would be good to know, and I guess > > many will be surprised that XFS is using different rules. >=20 > Using USB sticks is fine, so long as you trust the provenance of the > drive. If you take a random USB stick that is handed to you by Well... That makes passing data between Windows and Linux machines using USB stick "interesting", right? > someone whom you don't trust implicitly, or worse, that you picked up > abandoned on the sidewalk, there have been plenty of articles which > describe why this is a REALLY BAD IDEA, and even if you ignore > OS-level vuleranbilities, there are also firwmare and hardware based > vulerabilities that would put your computer at risk. See [2] and > [3] I know, but bear with me. > As far as documentation is concerned, how far should we go? Should > there be a warning in the execve(2) system call man page that you > shouldn't download random binaries from the network and execute them? :-) No need to pull straw men for me. This thread suggested that kernel is _not_ supposed to be robust against corrupt filesystems (because fsck is not integrated in kernel). Which was news to me (and I'm not the person that needs warning in execve documentation). I'd certainly like to hear that VFAT and EXT4 _is_ supposed to be robust in that way. And if we have filesystems where corrupt image is known to allow arbitrary code execution, we need to a) document that. b) disable them when secure boot is enabled. Because with secure boot, we are supposed to be secure against attacks =66rom root, and root can prepare malicious filesystems. ("The problem, simply put, is this: the objective of secure boot is to prevent the system from running any unsigned code in a privileged mode. So, if one boots a Linux system that, in turn, gives access to the machine to untrusted code, the entire purpose has been defeated. The consequences could hurt both locally (bad code could take control of the machine) and globally (the signing key used to boot Linux could be revoked), so it is an outcome that is worth avoiding. Doing so, however, requires placing limitations in the kernel so that not even root can circumvent the secure boot chain of trust." -- https://lwn.net/Articles/514985/ ). Best regards, Pavel --=20 http://www.livejournal.com/~pavelmachek --T4sUOijqQbZv57TR Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCX/4imAAKCRAw5/Bqldv6 8igbAKCnfyP6mP9AHNkzvIsq1Z/ZDtXU8QCdEyaoLjawtnyub5W2dVUMRLpB6d0= =CR7u -----END PGP SIGNATURE----- --T4sUOijqQbZv57TR--