xfs
[Top] [All Lists]

Re: [PATCH] xfsqa: test open_by_handle() on unlinked and freed inode clu

To: Michael Monnerie <michael.monnerie@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [PATCH] xfsqa: test open_by_handle() on unlinked and freed inode clusters V2
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Fri, 18 Jun 2010 08:51:30 +1000
Cc: xfs@xxxxxxxxxxx, aelder@xxxxxxx
In-reply-to: <201006171007.26040@xxxxxx>
References: <1276756659-12338-1-git-send-email-david@xxxxxxxxxxxxx> <201006171007.26040@xxxxxx>
User-agent: Mutt/1.5.20 (2009-06-14)
On Thu, Jun 17, 2010 at 10:07:25AM +0200, Michael Monnerie wrote:
> On Donnerstag, 17. Juni 2010 Dave Chinner wrote:
> > Hence if we get a cold cache lookup from a stale handle that
> > references such an inode, we can read the inode off disk even though
> > it has been deleted because we don't check if the inode is allocated
> > or not.  If the inode chunk has not been overwritten, then the inode
> > read will succeed and the handle-to-dentry conversion will not error
> > out like it is supposed to. The result is that stale NFS filehandles
> > and open_by_handle() will succeed incorrectly on unlinked files for
> > cold cache lookups.
>  
> Wouldn't that qualify as a security problem and be handled as such? 
> There should be back ports for "long term support" kernels of security-
> sensitive people, and so on.

Probably. Alex, are you able to handle this side of things?

Note that local open_by_handle() use is not really an issue - it
requires root and if you have root you can run xfs_db or dd on the
block device to get the same information.

Cheers,

Dave.
-- 
Dave Chinner
david@xxxxxxxxxxxxx

<Prev in Thread] Current Thread [Next in Thread>