| Message ID | 20230207011849.1343-1-demi@invisiblethingslab.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:adf:eb09:0:0:0:0:0 with SMTP id s9csp2581977wrn;
Mon, 6 Feb 2023 17:43:44 -0800 (PST)
X-Google-Smtp-Source:
AK7set8e/6Y/qb0Ftjr5tPCS36GG0lJyILfMY+rWOWga7ZPlUZIVskYvczrjjd5jZPMR7eThxXrV
X-Received: by 2002:aa7:9aef:0:b0:592:e66f:6c7a with SMTP id
y15-20020aa79aef000000b00592e66f6c7amr1404579pfp.20.1675734224047;
Mon, 06 Feb 2023 17:43:44 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1675734224; cv=none;
d=google.com; s=arc-20160816;
b=Zrr8MAIKVD6yCtZxDMIrb+6fkBT2BTs1pO508cwP5qV9c7Z2dIxcMRtHeDuKOBtU0R
eS+DXcH/l4fU/IY3RrMXqHzc+n6D9hwi7zuLqty+h7xpsgVbZezOKEDs/HKcfF7DKby0
SreXRKM2zX622hS056QBc/jhrRK8avcL2eRE6AsgQNSVinet2xUIXLQWCibQhIK8UP/n
bzQ7f+C1oz2eQNdtwbYI//io9TkA59lec2CgAajf5MlEKapWhIfhyi9my09YXi7Gqc4k
ocD18CJgdJBdCap7fvHHRn8PQKvAhpzLRZpUQ8/eZGcnSm5NfrsKna2lXgEpnwHzjeDf
kH7Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:feedback-id:dkim-signature
:dkim-signature;
bh=zYPj50UvVEIOsgADXJp+oJsb7O+roahlWS7jztV/S9A=;
b=dURD7UJrFhD8Ghzzu7yFkN+jxqmx0Uey7wV3Wa3h+3oONNwZI3WU+UL4+fd62imI8V
wmpk/ldUjuEyJvrU6GJpUhynIrkn56nyCfmy8UJqoBTiY24CYlsovDjxUdiv5oZcq5MK
W8LmZG7n3TEo+8OrYOQexnPwAv1v73hvK1AMv2Nvg2tXJns1q2QaV9XsyyMIvIxcGMtN
04uTW32/TbvTp3oAQnuCTL0xxScHF9EWg3OvmZHXKXLUJfM4jH+Kd/ZW3gD7KTr0TXok
E7lt/pqv6eGqWT4WtDY8LVwyWnuX8gpSg+//b7gWsvJZLTzS0T3dRS4+C5dTWVoEveM+
+Wmg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@invisiblethingslab.com header.s=fm3
header.b=dgkINF9M;
dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=TjtVQ2ZE;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
c4-20020aa781c4000000b005940003f68csi12464982pfn.356.2023.02.06.17.43.31;
Mon, 06 Feb 2023 17:43:44 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@invisiblethingslab.com header.s=fm3
header.b=dgkINF9M;
dkim=pass header.i=@messagingengine.com header.s=fm3 header.b=TjtVQ2ZE;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229942AbjBGBTL (ORCPT <rfc822;kmanaouilinux@gmail.com>
+ 99 others); Mon, 6 Feb 2023 20:19:11 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58642 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229525AbjBGBTJ (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 6 Feb 2023 20:19:09 -0500
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com
[64.147.123.24])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 860AE1A4AF
for <linux-kernel@vger.kernel.org>;
Mon, 6 Feb 2023 17:19:08 -0800 (PST)
Received: from compute2.internal (compute2.nyi.internal [10.202.2.46])
by mailout.west.internal (Postfix) with ESMTP id 0D99332008FD;
Mon, 6 Feb 2023 20:19:04 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162])
by compute2.internal (MEProxy); Mon, 06 Feb 2023 20:19:05 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
invisiblethingslab.com; h=cc:cc:content-transfer-encoding:date
:date:from:from:in-reply-to:message-id:mime-version:reply-to
:sender:subject:subject:to:to; s=fm3; t=1675732744; x=
1675819144; bh=zYPj50UvVEIOsgADXJp+oJsb7O+roahlWS7jztV/S9A=; b=d
gkINF9MygUXfd1bB4N9gmnLi686uzaq6pqgf+ye9RW5DDdi7SJEFDGDak/HvVCm+
Jsm6mLu6t274pUa82bhmrP0nSwPz26yG6CymyFblzcvq97dIyW5dlLV4fvZJVvDx
Htko471RBmfnCZ6AJAims5MzFeYKb68UyKm6eBadkvheWl7pMZmMJAa3ghgh+OgG
bCXlAIG2OI7B5xvkjnTBNgohd/wE0GDZIBrJgyKZRg86etnUeoliFcGKHyAPfJET
zr6itNKCgcG2KLW0WmIgDz5bj9CpszH1HMunFz4GYMEK83dGTobHu6V9o/ZbndiK
uyYT3Ngys6ED+cqFmJJWw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:cc:content-transfer-encoding:date:date
:feedback-id:feedback-id:from:from:in-reply-to:message-id
:mime-version:reply-to:sender:subject:subject:to:to:x-me-proxy
:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=
1675732744; x=1675819144; bh=zYPj50UvVEIOsgADXJp+oJsb7O+roahlWS7
jztV/S9A=; b=TjtVQ2ZEIp1gCY+/1sP43JqJpyFvx7k95CwP8kXCM7DCQyuQFSl
NkhncWZ0yAYLGZmwT/+fVcPqr675oPVmMvZIxMPd/dzXVm/lSueg96US154JsLCh
8jlDZPkZ5aQgu7xOrSTfY7+jcHvJvVcwRaAoaaeywjGV2lbC8yoU+FGgXH8yLE6C
VhnDaZCjD7YA6bE6hpvSPWMIhSkjmuOuiY4fEmzSLAJsO+5MEhIR94Njq9tmiV0e
ViS/NdLIJSd548kHJt6uU7ONVCIlHlxjvXkJyEqD2Ktbn0bDZS1Nt9vV6oTYViw9
ADE5+nmRRDW24UzwRnqmQSs200ZIEw97bzg==
X-ME-Sender: <xms:CKfhY5ZvTjLwfiybMAqx2xh49i_HCyry6qI8tI0G5F5DMlQw5WMO_w>
<xme:CKfhYwZj5B1TSoUMUmIQmuevI_xMHZxvjNb4hNgrXIc5OiaaBrxJSZedKPZlKzPqZ
iIVH1n7JBXQpIA>
X-ME-Received:
<xmr:CKfhY7_lHWBNEimbxE6iiCU8KJ3UdvmWKUqAiQ0aMAD6fBI_aiJ528E0Qy07qaEKFudDIQ2Y4FQ>
X-ME-Proxy-Cause:
gggruggvucftvghtrhhoucdtuddrgedvhedrudegjedgfedvucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
cujfgurhephffvvefufffkofgggfestdekredtredttdenucfhrhhomhepffgvmhhiucfo
rghrihgvucfqsggvnhhouhhruceouggvmhhisehinhhvihhsihgslhgvthhhihhnghhslh
grsgdrtghomheqnecuggftrfgrthhtvghrnhepvdefgeekvdekgfffgeekhfeijedtffek
hefhleehfeejueetgfelgefgtdevieelnecuvehluhhsthgvrhfuihiivgeptdenucfrrg
hrrghmpehmrghilhhfrhhomhepuggvmhhisehinhhvihhsihgslhgvthhhihhnghhslhgr
sgdrtghomh
X-ME-Proxy: <xmx:CKfhY3rYG3wiVsBDFyfuiwAWLwuYq7pH0P4KcwmBs6Z-OPFkQ9XJow>
<xmx:CKfhY0qMFHVn6M_W2vXDDb3zi42VT6PToq0bG5xObwtVNM7n5nw9gw>
<xmx:CKfhY9TT6FCTfP33sttJChAcWtaceJ2EQgbMVKx-jmqcKkoCkDuErA>
<xmx:CKfhY_Vf4DiFi7KbOSfNr4J22dR2iDI2aST25ufFzZHDe7F66lDDMg>
Feedback-ID: iac594737:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon,
6 Feb 2023 20:19:03 -0500 (EST)
From: Demi Marie Obenour <demi@invisiblethingslab.com>
To: Alasdair Kergon <agk@redhat.com>,
Mike Snitzer <snitzer@kernel.org>, dm-devel@redhat.com
Cc: Demi Marie Obenour <demi@invisiblethingslab.com>, =?utf-8?q?Marek_Marczy?=
=?utf-8?q?kowski-G=C3=B3recki?= <marmarek@invisiblethingslab.com>,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] Fail I/O to thin pool devices
Date: Mon, 6 Feb 2023 20:18:48 -0500
Message-Id: <20230207011849.1343-1-demi@invisiblethingslab.com>
X-Mailer: git-send-email 2.39.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.8 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_LOW,
RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_NONE autolearn=ham
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1757134689837477098?=
X-GMAIL-MSGID: =?utf-8?q?1757134689837477098?=
|
| Series |
[1/2] Fail I/O to thin pool devices
|
|
Commit Message
Demi Marie Obenour
Feb. 7, 2023, 1:18 a.m. UTC
A thin pool device currently just passes all I/O to its origin device,
but this is a footgun: the user might not realize that tools that
operate on thin pool metadata must operate on the metadata volume. This
could have security implications.
Fix this by failing all I/O to thin pool devices.
Signed-off-by: Demi Marie Obenour <demi@invisiblethingslab.com>
---
drivers/md/dm-thin.c | 17 ++++++-----------
1 file changed, 6 insertions(+), 11 deletions(-)
Comments
On Tue, Feb 07, 2023 at 03:02:51PM +0000, Joe Thornber wrote: > Nack. > > I don't see the security issue; how is this any different from running the > thin tools on any incorrect device? Or even the data device that the pool > is mirroring. I special-cased the pool device for two reasons: 1. I have run the thin tools on the pool device myself before realising that they needed to be run on the metadata device. It took me a while to realize that I was using the wrong device. I have not made that mistake with other devices, which is why I special-cased the pool device in this patch. 2. Doing I/O to the pool device is pointless. The pool device is strictly slower than the data device and exposes the exact same contents, so accessing the pool device directly is never what one wants. If there are backwards compatibility concerns, I could make this be controlled by a Kconfig option, module parameter, or both. > In general the thin tools don't modify the metadata they're > running on. If you know of a security issue with the thin tools please let > me know. I am not aware of a concrete security problem, but in general I prefer not to expose unnecessary attack surface.
Dne 07. 02. 23 v 17:19 Demi Marie Obenour napsal(a): > On Tue, Feb 07, 2023 at 03:02:51PM +0000, Joe Thornber wrote: >> Nack. >> >> I don't see the security issue; how is this any different from running the >> thin tools on any incorrect device? Or even the data device that the pool >> is mirroring. > > I special-cased the pool device for two reasons: > > 1. I have run the thin tools on the pool device myself before realising > that they needed to be run on the metadata device. It took me a > while to realize that I was using the wrong device. I have not made > that mistake with other devices, which is why I special-cased the > pool device in this patch. > > 2. Doing I/O to the pool device is pointless. The pool device is > strictly slower than the data device and exposes the exact same > contents, so accessing the pool device directly is never what one > wants. > > If there are backwards compatibility concerns, I could make this be > controlled by a Kconfig option, module parameter, or both. > >> In general the thin tools don't modify the metadata they're >> running on. If you know of a security issue with the thin tools please let >> me know. > > I am not aware of a concrete security problem, but in general I prefer > not to expose unnecessary attack surface. lvm2 introduced 'protection' layer device - which keeps -tpool opened and thus avoid possibility to use i.e. mkfs on thin-pool itself (as it requires exclusive open) Zdenek
diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c index 64cfcf46881dc5d87d5dfdb5650ba9babd32cd31..d85fdbd782ae5426003c99a4b4bf53818cc85efa 100644 --- a/drivers/md/dm-thin.c +++ b/drivers/md/dm-thin.c @@ -3405,19 +3405,14 @@ static int pool_ctr(struct dm_target *ti, unsigned argc, char **argv) static int pool_map(struct dm_target *ti, struct bio *bio) { - int r; - struct pool_c *pt = ti->private; - struct pool *pool = pt->pool; - /* - * As this is a singleton target, ti->begin is always zero. + * Previously, access to the pool was passed down to the origin device. + * However, this turns out to be error-prone: if the user runs any of + * the thin tools on the pool device, the tools could wind up parsing + * potentially attacker-controlled data. This mistake has actually + * happened in practice. Therefore, fail all I/O on the pool device. */ - spin_lock_irq(&pool->lock); - bio_set_dev(bio, pt->data_dev->bdev); - r = DM_MAPIO_REMAPPED; - spin_unlock_irq(&pool->lock); - - return r; + return -EIO; } static int maybe_resize_data_dev(struct dm_target *ti, bool *need_commit)