On Thu, Jun 17, 2010 at 10:07:25AM +0200, Michael Monnerie wrote:
> On Donnerstag, 17. Juni 2010 Dave Chinner wrote:
> > Hence if we get a cold cache lookup from a stale handle that
> > references such an inode, we can read the inode off disk even though
> > it has been deleted because we don't check if the inode is allocated
> > or not. If the inode chunk has not been overwritten, then the inode
> > read will succeed and the handle-to-dentry conversion will not error
> > out like it is supposed to. The result is that stale NFS filehandles
> > and open_by_handle() will succeed incorrectly on unlinked files for
> > cold cache lookups.
> Wouldn't that qualify as a security problem and be handled as such?
> There should be back ports for "long term support" kernels of security-
> sensitive people, and so on.
Probably. Alex, are you able to handle this side of things?
Note that local open_by_handle() use is not really an issue - it
requires root and if you have root you can run xfs_db or dd on the
block device to get the same information.