Re: [PATCH AUTOSEL 5.1 35/70] loop: Don't change loop device under exclusive opener
From: Jan Kara
Date: Thu Jun 20 2019 - 05:13:44 EST
On Wed 19-06-19 16:11:36, Sasha Levin wrote:
> On Mon, Jun 10, 2019 at 11:00:13AM +0200, Jan Kara wrote:
> > On Sat 08-06-19 07:39:14, Sasha Levin wrote:
> > > From: Jan Kara <jack@xxxxxxx>
> > >
> > > [ Upstream commit 33ec3e53e7b1869d7851e59e126bdb0fe0bd1982 ]
> >
> > Please don't push this to stable kernels because...
>
> I've dropped this, but...
OK, thanks.
> > > [Deliberately chosen not to CC stable as a user with priviledges to
> > > trigger this race has other means of taking the system down and this
> > > has a potential of breaking some weird userspace setup]
> >
> > ... of this. Thanks!
>
> Can't this be triggered by an "innocent" user, rather as part of an
> attack? Why can't this race happen during regular usage?
Well, the problem happens when mount happens on loop device when someone
modifies the backing file of the loop device. So for this to be
triggerable, you have to have control over assignment of backing files to
loop devices (you have to be owner of these loop devices to be able to do
this - pretty much means root in most setups) and be able to trigger mount
on this device. If you have these capabilities, there are much more
efficient ways to gain full administrator priviledges on the system,
deadlocking the kernel is thus the least of your worries.
Honza
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR