Re: [PATCH] dm-verity: restart or panic on an I/O error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Fri, 27 Sep 2024, Sami Tolvanen wrote:

> > See for example openssh, the function read_config_file_depth. There is:
> >
> > while (getline(&line, &linesize, f) != -1) {
> >         ... process_config_line_depth
> > }
> > free(line);
> > fclose(f)
> > if (bad_options > 0)
> >         fatal("%s: terminating, %d bad configuration options",
> >                 filename, bad_options);A
> > return 1;
> >
> > So, the function doesn't distinguish between error and eof. If reading the
> > config file returns -EIO, the function exits with 1 as if the file was
> > empty.
> 
> Sounds like OpenSSH's threat model doesn't include an attacker who can
> trigger arbitrary I/O errors. If you want dm-verity to protect against
> this, why not add a new restart_on_errors flag instead of changing the
> semantics of the restart_on_corruption flag and risk breaking existing
> users?
> 
> Sami

The dm-verity behavior was reported as a security bug, so by default, it 
should behave in the secure way - i.e. restart or panic on I/O error.

Do you intend to use dm-verity in Android and ChromeOS in the less-secure 
way where it returns -EIO? Have you audited the Android and ChromeOS 
codebase so that -EIO can't cause security breach? If yes, I can make a 
configuration switch for you that will enable the old behavior.

Mikulas





[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux