From: "Theodore Y. Ts'o" <tytso@mit.edu>
To: Eric Sandeen <sandeen@sandeen.net>
Cc: Eric Biggers <ebiggers3@gmail.com>,
"Darrick J. Wong" <darrick.wong@oracle.com>,
Dave Chinner <david@fromorbit.com>,
Brian Foster <bfoster@redhat.com>,
linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Bugs involving maliciously crafted file system
Date: Wed, 23 May 2018 19:41:15 -0400 [thread overview]
Message-ID: <20180523234114.GA3434@thunk.org> (raw)
In-Reply-To: <a52266f9-0096-b28c-c01c-046ababcfe3a@sandeen.net>
On Wed, May 23, 2018 at 01:01:59PM -0500, Eric Sandeen wrote:
>
> What I'm personally hung up on are the bugs where the "exploit" involves merely
> mounting a crafted filesystem that in reality would never (until the heat death
> of the universe) corrupt itself into that state on its own; it's the "malicious
> image" case, which is quite different than exposing fundamental bugs like the
> SB_BORN race or or the user-exploitable ext4 flaw you mentioned in your reply.
> Those are more insidious and/or things which can be hit by real users in real life.
Well, it *can* be hit in real life. If you have a system which auto
mounts USB sticks, then an attacker might be able to weaponize that
bug by creating a USB stick where mounted and the user opens a
particular file, the buffer overrun causes code to be executed that
grabs the user's credentials (e.g., ssh-agent keys, OATH creds, etc.)
and exfiltrates them to a collection server.
Fedora and Chrome OS might be two such platforms where someone could
very easily create a weaponized exploit tool where you could insert a
file system buffer overrun bug, and "hey presto!" it becomes a serious
zero day vulnerability.
(I recently suggested to a security researcher who was concerned that
file system developers weren't taking these sorts of things seriously
enough could do a service to the community by creating a demonstration
about how these sorts of bugs can be weaponized. And I suspect it
could be about just as easily on Chrome OS as Fedora, and that can be
one way that an argument could be made to management that more
resources should be applied to this problem. :-)
Of course, not all bugs triggered by a maliciously crafted file system
are equally weaponizable. An errors=panic or a NULL derefrence are
probably not easily exploitable at all. A buffer overrun (and I fixed
two in ext4 in the last two days while being stuck in a T13 standards
meeting, so I do feel your pain) might be a very different story.
Solutions
---------
One of the things I've wanted to get help from the syzbot folks is if
there was some kind of machine learning or expert system evaluation
that could be done so malicious image bugs could be binned into
different categories, based on how easily they can be weaponized.
That way, when there is a resource shortage situation, humans can be
more easily guided into detremining which bugs should be prioritized
and given attention, and which we can defer to when we have more time.
Or maybe it would be useful if there was a way where maintainers could
be able to annotate bugs with priority and severity levels, and maybe
make comments that can be viewed from the Syzbot dashboard UI.
The other thing that perhaps could be done is to set up a system where
the USB stick is automounted in a guest VM (using libvirt in Fedora,
and perhaps Crostini for Chrome OS), and the contents of the file
system would then get exported from the guest OS to the host OS using
either NFS or 9P. (9P2000.u is the solution that was used in
gVisor[1].)
[1] https://github.com/google/gvisor
It could be that putting this kind of security layer in front to
automounted USB sticks is less work than playing whack-a-mole fixing a
lot of security bugs with maliciously crafted file systems.
- Ted
next prev parent reply other threads:[~2018-05-23 23:41 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-21 17:55 INFO: task hung in xlog_grant_head_check syzbot
2018-05-22 12:31 ` Brian Foster
2018-05-22 22:26 ` Dave Chinner
2018-05-22 22:52 ` Eric Biggers
2018-05-23 4:47 ` Dave Chinner
2018-05-23 7:44 ` Darrick J. Wong
2018-05-23 16:20 ` Eric Biggers
2018-05-23 18:01 ` Eric Sandeen
2018-05-23 23:41 ` Theodore Y. Ts'o [this message]
2018-05-24 0:49 ` Bugs involving maliciously crafted file system Dave Chinner
2018-05-24 0:59 ` Theodore Y. Ts'o
2018-05-24 3:55 ` Dave Chinner
2018-05-24 13:16 ` Eric Sandeen
2018-05-30 19:41 ` Eric W. Biederman
2018-05-30 20:51 ` Matthew Garrett
2018-06-11 13:11 ` Dmitry Vyukov
2018-05-26 17:12 ` Dmitry Vyukov
2018-05-26 20:24 ` Theodore Y. Ts'o
2018-06-11 13:07 ` Dmitry Vyukov
2018-06-11 13:33 ` Theodore Y. Ts'o
2018-06-15 9:32 ` Dmitry Vyukov
2018-06-11 13:20 ` INFO: task hung in xlog_grant_head_check Dmitry Vyukov
2018-06-11 14:35 ` Eric Sandeen
2018-05-23 23:35 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180523234114.GA3434@thunk.org \
--to=tytso@mit.edu \
--cc=bfoster@redhat.com \
--cc=darrick.wong@oracle.com \
--cc=david@fromorbit.com \
--cc=ebiggers3@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=sandeen@sandeen.net \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.