BUG: Mount ignores mount options

From: Darrick J. Wong <hidden>
Date: 2018-08-11 03:11:57
Also in: cgroups, linux-api, linux-fsdevel, lkml, selinux

Possibly related (same subject, not in this thread)

2018-08-15 · Re: BUG: Mount ignores mount options · Eric W. Biederman <hidden>
2018-08-13 · Re: BUG: Mount ignores mount options · Miklos Szeredi <miklos@szeredi.hu>
2018-08-11 · Re: BUG: Mount ignores mount options · Al Viro <viro@ZenIV.linux.org.uk>
2018-08-11 · Re: BUG: Mount ignores mount options · Casey Schaufler <casey@schaufler-ca.com>
2018-08-11 · Re: BUG: Mount ignores mount options · Andy Lutomirski <luto@amacapital.net>

On Fri, Aug 10, 2018 at 07:54:47PM -0400, Theodore Y. Ts'o wrote:

On Fri, Aug 10, 2018 at 03:12:34PM -0700, Darrick J. Wong wrote:

quoted

Hey now, there was a little more nuance to it than that[1][2].  The
complaint in the first instance had much more to do with breaking
existing V4 filesystems by adding format requirements that mkfs didn't
know about when the filesystem was created.  Yes, you can create V4
filesystems that will hang the system if the log was totally unformatted
and metadata updates are made, but OTOH it's fairly obvious when that
happens, you have to be root to mount a disk filesystem, and we try to
avoid breaking existing users.

I wasn't thinking about syzbot reports; I've largely written them off
as far as file system testing is concerned, but rather Wen Xu at
Georgia Tech, who is much more reasonable than Dmitry, and has helpeyd
me out a lot; and has complained that the XFS folks haven't been
engaging with him.

Ahh, ok.  Yes, Wen has been easier to work with, and gives out
filesystem images.  Hm, I'll go comb the bugzilla again...

In either case, both security researchers are fuzzing file system
images, and then fixing the checksums, and discovering that this can
lead to kernel crashes, and in a few cases, buffer overruns that can
lead to potential privilege escalations.  Wen can generate reports
faster than syzbot, but at least he gives me file system images (as
opposed to having to dig them out of syzbot repro C files) and he
actually does some analysis and explains what he thinks is going on.

(FWIW I tried to figure out how to add fs image dumping to syzbot and
whoah that was horrifying.

I don't think anyone was claiming that format requirements should be
added to ext4 or xfs file systems.  But rather, that kernel code
should be made more robust against maliciously corrupted file system
images that have valid checksums.  I've been more willing to work with
Wen; Dave has expressed the opinion that these are not realistic bug
reports, and since only root can mount file systems, it's not high
priority.

I don't think they're high priority either, but they're at least worth
/some/ attention.

The reason why I bring this up here is that in container land, there
are those who believe that "container root" should be able to mount
file systems, and if the "container root" isn't trusted, the fact that
the "container root" can crash the host kernel, or worse, corrupt the
host kernel and break out of the container as a result, that would be
sad.

I was pretty sure most file system developers are on the same page
that allowing untrusted "container roots" the ability to mount
arbitrary block device file systems is insanity.

Agreed.

Whether or not we try to fix these sorts of bugs submitted by security
researchers.  :-)

and agreed. :)

--D

	  	       	    	       		  - Ted

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help