Re: Bad ext3/nfs DoS bug

From: Jan Kara
Date: Thu Jul 20 2006 - 12:04:27 EST

Next message: Andrew Morton: "Re: +revert-pcmcia-make-ide_cs-work-with-the-memory-space-of-cf-cards-if-io-space-is-not-available.patchadded to -mm tree"
Previous message: Paul Mackerras: "Re: [PATCH] panic_on_oops: remove ssleep()"
In reply to: Neil Brown: "Re: Bad ext3/nfs DoS bug"
Next in thread: James: "Re: Bad ext3/nfs DoS bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> On Wednesday July 19, jack@xxxxxxx wrote:
> > > So what happens next? Is the ext3 maintainer on sabatical,
> > > or am I expected to submit a patch to fix this?
> > I guess people are mostly busy with OLS and such so maybe they missed
> > the discussion.. Giving CC to relevant people to catch their attention
> > :)
> > Andrew, Stephen: James has come across a nasty bug (potentially remote
> > DoS). NFS extracts inode number from a filehandle and the inode number
> > eventually ends in ext3_read_inode(). Now if the inode number is bogus,
> > ext3_get_inode_block() calls ext3_error() and filesystem is remounted
> > RO or whatever else is configured. That is quite undesirable in this
> > case.
> > Now the easy "fix" is to change ext3_error() to ext3_warning() but an
> > attacker flooding your logs with warnings is probably not good either
> > and in case the inode number comes from ext3 itself we should really do
> > ext3_error() as there is some corruption in the fs.
> > Better fix would be to add a flag to read_inode() saying that the inode
> > number is from untrusted source (but that means changing a prototype of a
> > function every fs uses) and change export_iget() to pass this flag. Yet
> > another solution would be to make ext3 implement its own get_dentry() export
> > function and pass the flag internally...
> > What do you think is the best solution?
>
> I think that a good solution (hard to say if it is the best) is to
> remove that error message altogether, and put it where inode numbers
> are read out of directories. Something like the following patch -
> compile tested only.
Yes, that looks fine too. I did not realize that we get the inode
number only in a few places. Maybe we could wrap the checks in a
function (possibly inline) so that the checks are just in one place?

Honza
--
Jan Kara <jack@xxxxxxx>
SuSE CR Labs
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: +revert-pcmcia-make-ide_cs-work-with-the-memory-space-of-cf-cards-if-io-space-is-not-available.patchadded to -mm tree"
Previous message: Paul Mackerras: "Re: [PATCH] panic_on_oops: remove ssleep()"
In reply to: Neil Brown: "Re: Bad ext3/nfs DoS bug"
Next in thread: James: "Re: Bad ext3/nfs DoS bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]