Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp4759511rwb; Wed, 17 Aug 2022 05:48:26 -0700 (PDT) X-Google-Smtp-Source: AA6agR7QRz20akP5EhQ4a2yLshC1ihYOJMJllWfkT/aapmZa3B060bUtzzPfwZ6PhUGskpdq4Tz3 X-Received: by 2002:a05:6402:3805:b0:43e:8335:3a2a with SMTP id es5-20020a056402380500b0043e83353a2amr23616649edb.296.1660740505895; Wed, 17 Aug 2022 05:48:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660740505; cv=none; d=google.com; s=arc-20160816; b=T/mVXZCPG/5VOOR+Z4l0lgHu4067/TkQfoIA2Kjnp8x39tZmH0zkkI1mUk+PdpNE+G Dfgt+LtAQTXHmfJm8Z9LaDal7xPwB7n4nt0nO20GjJe+eIjCcDzxkl5cZHLQUbADqNsr 0IIv31V4onKYtKWpbNERROO5q0P4CqypcS7LvTT0Jvh4MOu76Qa43Y2t8SEYpE6UZ+Cj wIP7+N2VYGnWgTDJb6ZbVxyuFMBoWGs4ltJEMq/UKbr4MLsoeRtAimwWU4ZQR1oCIkJ3 q2y5bXr28WvRndzGQezHG1gkHy2vGmdiL8MN1EWJMaWJB+uds+vNM6xlrhllI2/KZb0i mrsw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:auto-submitted :content-transfer-encoding:references:in-reply-to:message-id:date :subject:to:from:dkim-signature; bh=dTHsgA3+Pen4xKhNCAb4BEX8J1pjRQNfaC2UwlZ7G3w=; b=vkHO8uSOzD5rHi5SMA5KnjXMFCFmCfDCLqKrzUUEQ9OGRDNIwt+7db0YWimCWBO7xF 51xAD7QdvmgdZx/JHW5LIDIXI1IzZLWw0VQjIIB7yGW73xx/8KomOMsFyFC2K/LY+kLP BqptHNHpwxPJOy7MzHkvfLZNqTpzxI+b15GBn23rfEB6CO21ui6rK9Ke3cW3dHhUjsNj x6Cz18NqmzMEm/VTnU5rx8OLk284flgHiwqTHJ4ZAdU8HbuKYj6h9Vo4G7B6KLnfHtoR k6QpwApeGt3dxQgeduHCoWiPNnu9D7WVb2z9z/33iFWqE0s0GJ5GVDX6wuPZAzBQ0dpI owiA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=D1KWvfsk; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h20-20020aa7c614000000b0043d267cee03si210251edq.299.2022.08.17.05.47.55; Wed, 17 Aug 2022 05:48:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=D1KWvfsk; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232705AbiHQMm7 (ORCPT + 99 others); Wed, 17 Aug 2022 08:42:59 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41052 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231184AbiHQMmz (ORCPT ); Wed, 17 Aug 2022 08:42:55 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CA5B28993B for ; Wed, 17 Aug 2022 05:42:54 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 69129611E4 for ; Wed, 17 Aug 2022 12:42:54 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPS id CA10BC433D6 for ; Wed, 17 Aug 2022 12:42:53 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1660740173; bh=n6eVTxI+Ys1XiBjEOHQQgpd7o3rSKDT1JeHQdmfEu9Y=; h=From:To:Subject:Date:In-Reply-To:References:From; b=D1KWvfskW3mxDHyIYCc+Zr92Za755yQ6+flCj3A6aipDM0AmsLMphdjsBxTzAmFdY KBb8RNZ05yyNtVo2dSf43Ph8yLYgbN0at1j34vwz+2EHvCVUpXTHPzv6oy31wcjtdG /dNJzFq5vCeqdEEXKfeHzfvC6v+/PcwKh/gN0AnQptqLQih3hmFkm5FRE2zt8iNWVU A75PXgV5YrlI8yB1eCRVAQcF/yikTeP28oaGK9Mb8ks/iL99O5FUNXxZzPfx/mu1WQ tJ4UrQUWY067NReElrrh5H22U22VBHSkAd+SE+jstA8paTa9b5pXYIEHzUStEDWYVu /Gpu+I5KnV2sw== Received: by aws-us-west-2-korg-bugzilla-1.web.codeaurora.org (Postfix, from userid 48) id B67EDC433E4; Wed, 17 Aug 2022 12:42:53 +0000 (UTC) From: bugzilla-daemon@kernel.org To: linux-ext4@vger.kernel.org Subject: [Bug 216283] FUZZ: BUG() triggered in fs/ext4/extent.c:ext4_ext_insert_extent() when mount and operate on crafted image Date: Wed, 17 Aug 2022 12:42:53 +0000 X-Bugzilla-Reason: None X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: AssignedTo fs_ext4@kernel-bugs.osdl.org X-Bugzilla-Product: File System X-Bugzilla-Component: ext4 X-Bugzilla-Version: 2.5 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: zhangboyang.id@gmail.com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: fs_ext4@kernel-bugs.osdl.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugzilla.kernel.org/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org https://bugzilla.kernel.org/show_bug.cgi?id=3D216283 --- Comment #10 from Zhang Boyang (zhangboyang.id@gmail.com) --- Hi, On 2022/8/2 11:25, Dave Chinner wrote: >> I don't particularly worry about "responsible disclosure" because I >> don't consider fuzzed file system crashes to be a particularly serious >> security concern. There are some crazy container folks who think >> containers are just as secure(tm) as VM's, and who advocate allowing >> untrusted containers to mount arbitrary file system images and expect >> that this not cause the "host" OS to crash or get compromised. Those >> people are insane(tm), and I don't particularly worry about their use >> cases. >=20 > They may be "crazy container" use cases, but anything we can do to > make that safer is a good thing. >=20 >=20 > But if the filesystem crashes or has a bug that can be exploited > during the mount process.... >=20 I think filesystem-safety is very import to consumer devices like=20 computers or smartphones, at least for those filesystems designed for=20 (or widely used for) data exchange, like fat and exfat. Please see my=20 comments below. On the other hand, filesystem designed for internal use like ext4 or xfs=20 can ignore deliberate manipulation but users still expect they can deal=20 with random errors, e.g. you don't want whole file server down because=20 of single faulty disk. And this has nothing to do with containers. >> If you have a Linux laptop with an automounter enabled it's possible >> that when you plug in a USB stick containing a corrupted file system, >> it could cause the system to crash. But that requires physical access >> to the machine, and if you have physical access, there is no shortage >> of problems you could cause in any case. >=20 > Yes, the real issue is that distros automount filesystems with > "noexec,nosuid,nodev". They use these mount options so that the OS > protects against trojanned permissions and binaries on the untrusted > filesystem, thereby preventing most of the vectors an untrusted > filesystem can use to subvert the security of the system without the > user first making an explicit choice to allow the system to run > untrusted code. >=20 > But exploiting an automoutner does not require physical access at > all. Anyone who says this is ignoring the elephant in the room: > supply chain attacks.guarantee >=20 > All it requires is a supply chain to be subverted somehere, and now > the USB drive that contains the drivers for your special hardware > from a manufacturer you trust (and with manufacturer > trust/anti-tamper seals intact) now powns your machine when you plug > it in. >=20 > Did the user do anything wrong? No, not at all. But they could > have a big problem if filesystem developers don't care about > threat models like subverted supply chains and leave the door wide > open even when the user does all the right things... >=20 Yes, an attack need physical access doesn't means the attacker need=20 physical access. USB sticks (or more generally, external storage devices), is still a=20 very important way to exchange data between computers (and/or smart=20 devices), although it's not as common as before. No safe guarantee here=20 means there is no way to even read untrusted filesystems without using=20 virtual machines / DMZ machines. Thus, using untrusted filesystems=20 natively will become "give root privilege to those who wrote to that=20 filesystem". That makes me recall the nightmare of autorun.inf worms on=20 Windows platforms. I think no user/vendor really want this. At least I'm=20 sure it would be scandal for Tesla if their cars can be hacked by=20 inserting a USB stick. Best Regards, Zhang Boyang --=20 You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.=