On Sun, Jan 10, 2021 at 07:41:02PM +0100, Pavel Machek wrote: > > >From our perspective (and Darrick and I discussed this on this week's > > ext4 video conference, so it represents the ext4 and xfs maintainer's > > position) is that the file system format is different. First, the > > on-disk format is not an ABI, and it is several orders more complex > > than a system call interface. Second, we make no guarantees about > > what the file system created by malicious tools will do. For example, > > XFS developers reject bug reports from file system fuzzers, because > > the v5 format has CRC checks, so randomly corrupted file systems won't > > crash the kernel. Yes, this doesn't protect against maliciously > > created file systems where the attacker makes sure the checksums are > > valid, but only crazy people who think containers are just as secure > > Well, it is not just containers. It is also USB sticks. And people who > believe secure boot is good idea and try to protect kernel against > root. And crazy people who encrypt pointers in dmesg. And... > > People want to use USB sticks from time to time. And while I > understand XFS is so complex it is unsuitable for such use, I'd still > expect bugs to be fixed there. > > I hope VFAT to be safe to mount, because that is very common on USB. > > I also hope ext2/3/4 is safe in that regard. Ext4 will fix file system fuzzing attack bugs on a best efforts basis. That is, when I have time, I've been known to stay up late to bugs reported by fuzzers. I hope ext4 is safe, but I'm not going to make any guarantees that it is Bug-Free(tm). If you want to trust it in that way, you do so at your risk. As far as VFS is concerned, I'm not aware of anyone who has been working on fuzz-proofing VFAT, and looking at the Vault 2016 for "American Fuzzy Lop"[1] while VFAT wasn't specifically tested, for the vast majority of file systems, the "time to first bug" typically ranged from seconds to minutes, with the exception of XFS and ext4 (where it was roughly 2 hours). The specific bugs which triggered in the 2016 AFL presentation have been fixed, at least for the file systems which get regular maintainer attention, but this is why I try to caution people not to count on file systems being proof against maliciously formatted images. [1] https://events.static.linuxfound.org/sites/events/files/slides/AFL%20filesystem%20fuzzing,%20Vault%202016_0.pdf > Anyway it would be nice to have documentation explaining this. If I'm > wrong about VFAT being safe, it would be good to know, and I guess > many will be surprised that XFS is using different rules. Using USB sticks is fine, so long as you trust the provenance of the drive. If you take a random USB stick that is handed to you by someone whom you don't trust implicitly, or worse, that you picked up abandoned on the sidewalk, there have been plenty of articles which describe why this is a REALLY BAD IDEA, and even if you ignore OS-level vuleranbilities, there are also firwmare and hardware based vulerabilities that would put your computer at risk. See [2] and [3] for more details; there's a reason why I've visited at least one financial institution where they put epoxy in USB ports to prevent clueless workers from potentially compromising the bank's computers. [2] https://www.redteamsecure.com/blog/usb-drop-attacks-the-danger-of-lost-and-found-thumb-drives/ [3] https://www.bleepingcomputer.com/news/security/heres-a-list-of-29-different-types-of-usb-attacks/ As far as documentation is concerned, how far should we go? Should there be a warning in the execve(2) system call man page that you shouldn't download random binaries from the network and execute them? :-) Cheers, - Ted
