All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>
To: The development of GNU GRUB <grub-devel@gnu.org>
Subject: Re: GRUB and the risk of block list corruption in extX
Date: Tue, 19 Feb 2013 10:37:54 +0100	[thread overview]
Message-ID: <512347F2.4070901@gmail.com> (raw)
In-Reply-To: <E2C68865-294D-47A5-846A-0C7CBDFBA9E5@colorremedies.com>

[-- Attachment #1: Type: text/plain, Size: 1964 bytes --]

I haven't gone through this whole thread yet but this is one of problems
with blocklist installs:
Suppose blocklist changes because of e.g. user mistake. Yet at the old
location there is still the old core.img. For the time being. So this
problem may go unnoticed for years yet if someone has the ability to
create new files on the disk in question, he creates ton of files with
copies of malicious sector, one of them will overwrite core and be
executed on next reboot.
This is a securitxy problem coming from the fact that in normal
environment blocklists are abstracted away into files and are no longer
either visible or considered, yet they are still manipulated. embedding
zone doesn't have this problem since it's by definition never manipulated.
Another trouble is that ext4 devs control only their own implementation.
But there are several more floating around. Once we had problems because
hurd ext2 behaviour is different from Linux one. Additionally, as long
as behaviour of not modifying blocklists of core.img isn't specified as
official implementations which would do so (specifically the cow
flavours) are within their rights.
It's possible to add ext4 parsing to boot sector but it's not sure that
it will be maintainable in face of new ext* features.
A possibility is to use 2 unused sectors in front of ext* to store
initial stage but it doesn't help if embedding isn't available for other
reasons than installing to partition.
Having embedded zone described by an inode is unusual but is usable as
long as:
1) special sector allocation. It must be (at least, preferably more)
4K-aligned (necessary for supporting 4K-sector disks) and contiguous.
Either:
2a) miniature parser in boot.S to find this file. Greatly simplified if
inode is fixed, since fs parameters are fixed it would be a
straightforward of value read.
2b) immutability of blocklist. This also implies that this file can't be
shrunk or deleted.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 294 bytes --]

  parent reply	other threads:[~2013-02-19  9:38 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-02-07 10:47 GRUB and the risk of block list corruption in extX Martin Wilck
2013-02-08 11:44 ` Martin Wilck
2013-02-08 16:57 ` Vladimir 'phcoder' Serbinenko
2013-02-08 17:17   ` Vladimir 'phcoder' Serbinenko
2013-02-08 17:17   ` Martin Wilck
2013-02-08 18:42     ` Lennart Sorensen
2013-02-08 18:56       ` Bruce Dubbs
2013-02-08 18:58         ` Lennart Sorensen
2013-02-08 19:11           ` Andrey Borzenkov
2013-02-18 15:42       ` Martin Wilck
2013-02-09  6:22     ` Chris Murphy
2013-02-18 17:16       ` Martin Wilck
2013-02-18 21:07         ` Chris Murphy
2013-02-19  5:02           ` Andrey Borzenkov
2013-02-19  6:24             ` Chris Murphy
2013-02-19  8:43               ` Michael Chang
2013-02-19  9:06                 ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-02-19 18:54                 ` Chris Murphy
2013-02-19  8:47           ` Martin Wilck
2013-02-19 18:56             ` Chris Murphy
2013-02-19 19:46               ` Martin Wilck
2013-02-19  9:37           ` Vladimir 'φ-coder/phcoder' Serbinenko [this message]
2013-02-19 12:58             ` Martin Wilck
2013-02-19 15:48               ` Vladimir 'φ-coder/phcoder' Serbinenko
2013-02-19 17:17                 ` Martin Wilck
2013-02-19  5:26 ` Andrey Borzenkov
2013-02-19 10:54   ` Martin Wilck
2013-05-03  5:01 ` Andrey Borzenkov
2013-05-03  8:21   ` Martin Wilck
2013-05-03 19:21     ` Dr. Tilmann Bubeck
  -- strict thread matches above, loose matches on Subject: below --
2013-02-10  0:17 Chris Murphy
2013-02-10  4:45 ` Theodore Ts'o
2013-02-11 15:38 ` Eric Sandeen
2013-02-07 10:18 Martin Wilck
2013-02-07 13:27 ` Jan Kara
2013-02-07 15:50 ` Eric Sandeen
2013-02-07 20:53 ` Theodore Ts'o
2013-02-08 10:15   ` Martin Wilck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=512347F2.4070901@gmail.com \
    --to=phcoder@gmail.com \
    --cc=grub-devel@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.