From: Eric Biggers <ebiggers3@gmail.com>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Jann Horn <jannh@google.com>,
Michael Kerrisk-manpages <mtk.manpages@gmail.com>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-ext4@vger.kernel.org, Linux API <linux-api@vger.kernel.org>,
linux-man@vger.kernel.org
Subject: Re: [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl
Date: Tue, 9 May 2017 14:17:46 -0700 [thread overview]
Message-ID: <20170509211746.GA87747@gmail.com> (raw)
In-Reply-To: <20170509015324.GM5973@birch.djwong.org>
On Mon, May 08, 2017 at 06:53:24PM -0700, Darrick J. Wong wrote:
> > >> an unprivileged user to determine with high probability whether a set
> > >> of large files with known sizes is stored anywhere in the filesystem, even
> > >> across containers or so.
> > >
> > > How large? How high?
> > >
> > > Do you have a tool that analyzes a set of st_blocks values and compares
> > > the set to known profiles in order to guess what's on the filesystem?
> > > With what accuracy can it do that, especially without explicit path or
> > > stat data? The maximum resolution provided by the ioctl is fs block
> > > size, so it's not like you can guess that this 1268432 byte file is
> > > libclangAnalysis.a; all you know is that there are four 310-block files
> > > on this filesystem -- on this system that's the desktop wallpaper, a
> > > file from each of libclang and libgimp, and libc6 from my aarch64 guest.
> >
> > This would probably become more realistic for larger files, like
> > conference recordings - with sizes like 200075, 48338, 155870, 134800
> > blocks -, although admittedly I don't have a specific scenario in mind in
> > which someone knowing what conference recordings I have on my disk
> > would be problematic.
>
> TBH, I /did/ build a (crappy) tool that tries to construct fingerprints
> based on the fsmaps it finds for each inode number. It works reasonably
> well for identifying the existence (and number) of reflink clones of any
> part of the file tree that you can stat and FIEMAP. It also works (sort
> of) if you have multiple separate filesystems with roughly the same fs
> trees in them. Mixing things into one big file produces a lot of noise,
> and data files are harder to pick out unless they're deduped.
>
> > You're probably right about this not being a particularly important
> > concern, and I recognize that if I had wanted a different API, I should
> > have said so a year ago.
>
> I don't mind people bringing up specific concerns and making specific
> requests for the rest of the 4.12 cycle since it's relatively easy to
> make small changes to the interface (e.g. adding a capability check).
>
I was also surprised to see that there is no authorization check. Using this
ioctl, *anyone* will be able to retrieve the precise list of physical blocks
used by every inode on the filesystem, even ones that are only linked to in
directories the user doesn't have read permission for, or aren't even visible in
their mount namespace.
I am most concerned about:
1.) Privacy implications. Say the filesystem is being shared between multiple
users, and one user unpacks foo.tar.gz into their home directory, which
they've set to mode 700 to hide from other users. Because of this new
ioctl, all users will be able to see every (inode number, size in blocks)
pair that was added to the filesystem, as well as the exact layout of the
physical block allocations which might hint at how the files were created.
If there is a known "fingerprint" for the unpacked foo.tar.gz in this
regard, its presence on the filesystem will be revealed to all users. And
if any filesystems happen to prefer allocating blocks near the containing
directory, the directory the files are in would likely be revealed too.
Also note that by repeatedly executing the ioctl, all users will be able to
see at what time any arbitrary inode was added to the filesystem, as well as
exactly when any arbitrary inode was truncated, or otherwise modified in a
way that changed its extent mappings. More generally, all users will be
able to follow the evolution of any arbitrary set of inodes over time. In
a shared hosting environment this could allow anyone to determine many of
the characteristics of other containers being hosted by the kernel, such as
which software and software versions they're using (or at least, to a higher
degree of confidence than other side channels that may be available
currently).
2.) Abusing the ioctl as an information leak in combination with another
security vulnerability. For example let's say that there's a vulnerability
in xfs or ext4 that allows writing (but not reading) to an arbitrary
physical disk block. Now obviously there are many ways this could be
exploited, but let's say you're in a container, so just elevating to root in
the container isn't enough, and you don't know where the critical system
files are. Using the fsmap ioctl to get the extent mappings of *all* files
on the filesystem, you may still be able to determine with a high degree of
confidence which physical disk blocks hold the contents of files outside the
container that could be backdoored, e.g. /etc/shadow, or some binary in /bin
or /lib, or perhaps a kernel module in /lib/modules.
So given that this ioctl operates on the global filesystem and not on a
particular file, it really seems like more of an administrator-level thing
(capable(CAP_SYS_ADMIN)), not something that any random user should be able to
execute.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers3-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "Darrick J. Wong" <darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>
Cc: Jann Horn <jannh-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>,
Michael Kerrisk-manpages
<mtk.manpages-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
linux-xfs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-ext4-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
linux-man-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl
Date: Tue, 9 May 2017 14:17:46 -0700 [thread overview]
Message-ID: <20170509211746.GA87747@gmail.com> (raw)
In-Reply-To: <20170509015324.GM5973-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
On Mon, May 08, 2017 at 06:53:24PM -0700, Darrick J. Wong wrote:
> > >> an unprivileged user to determine with high probability whether a set
> > >> of large files with known sizes is stored anywhere in the filesystem, even
> > >> across containers or so.
> > >
> > > How large? How high?
> > >
> > > Do you have a tool that analyzes a set of st_blocks values and compares
> > > the set to known profiles in order to guess what's on the filesystem?
> > > With what accuracy can it do that, especially without explicit path or
> > > stat data? The maximum resolution provided by the ioctl is fs block
> > > size, so it's not like you can guess that this 1268432 byte file is
> > > libclangAnalysis.a; all you know is that there are four 310-block files
> > > on this filesystem -- on this system that's the desktop wallpaper, a
> > > file from each of libclang and libgimp, and libc6 from my aarch64 guest.
> >
> > This would probably become more realistic for larger files, like
> > conference recordings - with sizes like 200075, 48338, 155870, 134800
> > blocks -, although admittedly I don't have a specific scenario in mind in
> > which someone knowing what conference recordings I have on my disk
> > would be problematic.
>
> TBH, I /did/ build a (crappy) tool that tries to construct fingerprints
> based on the fsmaps it finds for each inode number. It works reasonably
> well for identifying the existence (and number) of reflink clones of any
> part of the file tree that you can stat and FIEMAP. It also works (sort
> of) if you have multiple separate filesystems with roughly the same fs
> trees in them. Mixing things into one big file produces a lot of noise,
> and data files are harder to pick out unless they're deduped.
>
> > You're probably right about this not being a particularly important
> > concern, and I recognize that if I had wanted a different API, I should
> > have said so a year ago.
>
> I don't mind people bringing up specific concerns and making specific
> requests for the rest of the 4.12 cycle since it's relatively easy to
> make small changes to the interface (e.g. adding a capability check).
>
I was also surprised to see that there is no authorization check. Using this
ioctl, *anyone* will be able to retrieve the precise list of physical blocks
used by every inode on the filesystem, even ones that are only linked to in
directories the user doesn't have read permission for, or aren't even visible in
their mount namespace.
I am most concerned about:
1.) Privacy implications. Say the filesystem is being shared between multiple
users, and one user unpacks foo.tar.gz into their home directory, which
they've set to mode 700 to hide from other users. Because of this new
ioctl, all users will be able to see every (inode number, size in blocks)
pair that was added to the filesystem, as well as the exact layout of the
physical block allocations which might hint at how the files were created.
If there is a known "fingerprint" for the unpacked foo.tar.gz in this
regard, its presence on the filesystem will be revealed to all users. And
if any filesystems happen to prefer allocating blocks near the containing
directory, the directory the files are in would likely be revealed too.
Also note that by repeatedly executing the ioctl, all users will be able to
see at what time any arbitrary inode was added to the filesystem, as well as
exactly when any arbitrary inode was truncated, or otherwise modified in a
way that changed its extent mappings. More generally, all users will be
able to follow the evolution of any arbitrary set of inodes over time. In
a shared hosting environment this could allow anyone to determine many of
the characteristics of other containers being hosted by the kernel, such as
which software and software versions they're using (or at least, to a higher
degree of confidence than other side channels that may be available
currently).
2.) Abusing the ioctl as an information leak in combination with another
security vulnerability. For example let's say that there's a vulnerability
in xfs or ext4 that allows writing (but not reading) to an arbitrary
physical disk block. Now obviously there are many ways this could be
exploited, but let's say you're in a container, so just elevating to root in
the container isn't enough, and you don't know where the critical system
files are. Using the fsmap ioctl to get the extent mappings of *all* files
on the filesystem, you may still be able to determine with a high degree of
confidence which physical disk blocks hold the contents of files outside the
container that could be backdoored, e.g. /etc/shadow, or some binary in /bin
or /lib, or perhaps a kernel module in /lib/modules.
So given that this ioctl operates on the global filesystem and not on a
particular file, it really seems like more of an administrator-level thing
(capable(CAP_SYS_ADMIN)), not something that any random user should be able to
execute.
- Eric
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2017-05-09 21:17 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-07 15:58 [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl Darrick J. Wong
2017-05-07 22:17 ` Jann Horn
2017-05-08 18:41 ` Darrick J. Wong
2017-05-08 18:41 ` Darrick J. Wong
2017-05-08 18:47 ` Jann Horn
2017-05-08 20:47 ` Darrick J. Wong
2017-05-08 20:47 ` Darrick J. Wong
2017-05-08 22:54 ` Jann Horn
2017-05-09 1:53 ` Darrick J. Wong
2017-05-09 1:53 ` Darrick J. Wong
2017-05-09 21:17 ` Eric Biggers [this message]
2017-05-09 21:17 ` Eric Biggers
2017-05-10 16:38 ` Theodore Ts'o
2017-05-10 19:27 ` Eric W. Biederman
2017-05-10 20:14 ` Darrick J. Wong
2017-05-10 20:14 ` Darrick J. Wong
2017-05-11 5:10 ` Eric Biggers
2017-05-11 5:10 ` Eric Biggers
2017-05-14 1:41 ` Andreas Dilger
2017-05-14 4:25 ` Darrick J. Wong
2017-05-14 4:25 ` Darrick J. Wong
2017-05-14 13:56 ` Andy Lutomirski
2017-05-14 13:56 ` Andy Lutomirski
2017-05-18 2:04 ` Darrick J. Wong
2017-05-18 2:04 ` Darrick J. Wong
-- strict thread matches above, loose matches on Subject: below --
2017-02-18 1:17 [RFC PATCH v6 0/8] vfs/xfs/ext4: GETFSMAP support Darrick J. Wong
2017-02-21 22:14 ` [PATCH] ioctl_getfsmap.2: document the GETFSMAP ioctl Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170509211746.GA87747@gmail.com \
--to=ebiggers3@gmail.com \
--cc=darrick.wong@oracle.com \
--cc=jannh@google.com \
--cc=linux-api@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-man@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=mtk.manpages@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.