Re: device mapper and the BLKFLSBUF ioctl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Oct 21 2016 at  4:18P -0400,
Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote:

> 
> 
> On Fri, 21 Oct 2016, Mike Snitzer wrote:
> 
> > On Fri, Oct 21 2016 at  2:33pm -0400,
> > Mikulas Patocka <mpatocka@xxxxxxxxxx> wrote:
> > 
> > > Hi
> > > 
> > > I found a bug in dm regarding the BLKFLSBUF ioctl.
> > > 
> > > The BLKFLSBUF ioctl can be called on a block device and it flushes the 
> > > buffer cache. There is one exception - when it is called on ramdisk, it 
> > > actually destroys all ramdisk data (it works like a discard on the full 
> > > device).
> > > 
> > > The device mapper passes this ioctl down to the underlying device, so when 
> > > the ioctl is called on a logical volume, it can be used to destroy the 
> > > underlying volume group if the volume group is on ramdisk.
> > > 
> > > For example:
> > > # modprobe brd rd_size=1048576
> > > # pvcreate /dev/ram0
> > > # vgcreate ram_vg /dev/ram0
> > > # lvcreate -L 16M -n ram_lv ram_vg
> > > # blockdev --flushbufs /dev/ram_vg/ram_lv
> > > 	--- and now the whole volume group is gone, all data on the 
> > > 		ramdisk were replaced with zeroes
> > > 
> > > The BLKFLSBUF ioctl is only allowed with CAP_SYS_ADMIN, so there shouldn't 
> > > be security implications with this.
> > > 
> > > Whan to do with it? The best thing would be to drop this special ramdisk 
> > > behavior and make the BLKFLSBUF ioctl flush the buffer cache on ramdisk 
> > > like on all other block devices. But there may be many users having 
> > > scripts that depend on this special behavior.
> > > 
> > > Another possibility is to stop the device mapper from passing the 
> > > BLKFLSBUF ioctl down.
> > 
> > If anything DM is being consistent with what the underlying device is
> > meant to do.
> > 
> > brd_ioctl() destroys the data in response to BLKFLSBUF.. I'm missing why
> > this is a DM-specific problem.
> 
> The problem is that if we call it on a logical volume, it destroys all 
> logical volumes on the give physical volume.

Yeah, pretty awful.  But this isn't a DM-specific concern.  Could easily
happen with normal block partitions too right?

We _could_ add a DM-specific hack like this but it feels wrong to me:

diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index ec513ee..e91607f 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -10,6 +10,8 @@
 #include "dm-uevent.h"
 
 #include <linux/init.h>
+#include <linux/fs.h>
+#include <linux/major.h>
 #include <linux/module.h>
 #include <linux/mutex.h>
 #include <linux/blkpg.h>
@@ -470,6 +472,16 @@ static int dm_blk_ioctl(struct block_device *bdev, fmode_t mode,
 		 * a logical partition of the parent bdev; so extra
 		 * validation is needed.
 		 */
+		if (MAJOR(disk_devt(bdev->bd_disk)) == RAMDISK_MAJOR &&
+		    cmd == BLKFLSBUF) {
+			/*
+			 * Disallow BLKFLSBUF on ramdisk because it can easily
+			 * destroy data outside of this logical volume.
+			 */
+			r = -EIO;
+			goto out;
+		}
+
 		r = scsi_verify_blk_ioctl(NULL, cmd);
 		if (r)
 			goto out;

--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel



[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux