From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935341AbeEXA7O (ORCPT ); Wed, 23 May 2018 20:59:14 -0400 Received: from imap.thunk.org ([74.207.234.97]:47146 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935196AbeEXA7M (ORCPT ); Wed, 23 May 2018 20:59:12 -0400 Date: Wed, 23 May 2018 20:59:06 -0400 From: "Theodore Y. Ts'o" To: Dave Chinner Cc: Eric Sandeen , Eric Biggers , "Darrick J. Wong" , Brian Foster , linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: Bugs involving maliciously crafted file system Message-ID: <20180524005906.GC3434@thunk.org> Mail-Followup-To: "Theodore Y. Ts'o" , Dave Chinner , Eric Sandeen , Eric Biggers , "Darrick J. Wong" , Brian Foster , linux-kernel@vger.kernel.org, linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <000000000000457b2d056cbb0044@google.com> <20180522123107.GC3751@bfoster.bfoster> <20180522222620.GW23861@dastard> <20180522225208.GB658@sol.localdomain> <20180523074425.GM14384@magnolia> <20180523162015.GA3684@sol.localdomain> <20180523234114.GA3434@thunk.org> <20180524004931.GB23861@dastard> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180524004931.GB23861@dastard> User-Agent: Mutt/1.9.5 (2018-04-13) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, May 24, 2018 at 10:49:31AM +1000, Dave Chinner wrote: > > We've learnt this lesson the hard way over and over again: don't > parse untrusted input in privileged contexts. How many times do we > have to make the same mistakes before people start to learn from > them? Good question. For how many years (or is it decades, now) has Fedora auto-mounted USB sticks? :-) Let me know when you successfully get Fedora to turn of a feature which appears to have great user appeal. And I'll note that Eric Beiderman just posted a patch series allowing unprivileged processes to mount file systems in containers. And remember the mantra which the containner people keep chanting. Containers are just as secure as VM's. Hahahaha..... > User automounting of removable storage should be done via a > privilege separation mechanism and hence avoid this whole class of > security problems. We can get this separation by using FUSE in these > situations, right? FUSE is a pretty terrible security boundary. And not all file systems have FUSE support. As I had suggested earlier, probably better to use 9P, and mount the file system in a VM. > Bugs don't have to be exploitable to be a "security issue". Detected > filesystem corruptions on a errors=panic mount, or undetected > problems that cause a x/NULL deref are still a user-triggerable > kernel crash (i.e. a DOS) and therefore considered a security > problem. I disagree here. I think it's worth it to disambiguate the two. If you have physical access to the machine, you can also apply AC mains voltage to the USB port, which will likely cause the system to crash. And at least for Chrome OS, it reboots really quickly. :-) If someone can gain control of the system so they can exfiltrate data, or be able to modify files owned as root, that's a much bigger deal that crashing the machcine in my view. - Ted