Re: [PATCH 0/3] ocfs2: harden inode validators against forged metadata

[Joel Becker]

On Sun, May 17, 2026 at 07:10:11AM -0400, Michael Bommarito wrote:
> This series adds three structural checks to
> ocfs2_validate_inode_block() that catch attacker-controlled bytes
> in a freshly read dinode before ocfs2_populate_inode() copies them
> verbatim into the in-core inode.  All three checks fire on the
>
> ...
>
> Threat model
> ============
> 
> The validator is the chokepoint that protects
> ocfs2_populate_inode() from a malformed dinode whether the
> malformation got there via:
> 
>   (1) An attacker-supplied disk image mounted by a privileged
>       user.  The mount path runs every dinode through this
>       validator before any unprivileged user opens a file on
>       the volume.  This is the same threat model the existing
>       inline-data, refcount, and chain-list checks in this
>       function were written for.
> 
>   (2) A compromised cluster peer with raw write access to the
>       shared block device.  OCFS2 is a clustered filesystem;
>       the on-disk blocks behind bh->b_data live on shared
>       storage that other cluster nodes can write.  The local
>       node's cache-eviction re-read runs the newly fetched
>       block through this validator before ocfs2_populate_inode()
>       runs again.  Oracle's BlockErrorDetection design document
>       scopes the existing CRC32 + Hamming integrity primitive
>       explicitly as defense against memory and wire corruption,
>       not as authentication of peer writes; the field-level
>       validators are therefore the kernel-side defense
>       whichever path produced the forged block.

Thank you for the excellent description of the threat model, and for
devising the comprehensive model in the first place.  It really helps
consider these patches in the right context.

Can you make sure this info carries on to later versions of this patch
series, so it isn't lost?

Thanks,
Joel

-- 

"Every day I get up and look through the Forbes list of the richest
 people in America. If I'm not there, I go to work."
        - Robert Orben

			http://www.jlbec.org/
			jlbec@xxxxxxxxxxxx