https://bugzilla.kernel.org/show_bug.cgi?id=214665 Bug ID: 214665 Summary: security bug:using "truncate" bypass disk quotas limit Product: File System Version: 2.5 Kernel Version: 3.10.0-1160.36.2.el7.x86_64 Hardware: All OS: Linux Tree: Mainline Status: NEW Severity: normal Priority: P1 Component: ext4 Assignee: fs_ext4@xxxxxxxxxxxxxxxxxxxx Reporter: 1157599735@xxxxxx Regression: No * Overview system user can bypass "disk quota limit" using "truncate -s 10T id" command (that can create a file whose size is 10T). * Steps to Reproduce 1. create a user and setup a disk quota for this user create user "test" ``` useradd test ``` create filesystem ``` [root@vm10-50-0-18 ~]# dd if=/dev/zero of=ext4 bs=1G count=1 [root@vm10-50-0-18 ~]# mkfs.ext4 ext4 [root@vm10-50-0-18 ~]# mkdir -p /tmp/test && chmod -R 777 /tmp/test && mount -o usrquota,grpquota ext4 /tmp/test ``` setup disk quota ``` [root@vm10-50-0-18 ~]# quotacheck -u /tmp/test/ # create "aquota.user" file [root@vm10-50-0-18 ~]# edquota -u test [root@vm10-50-0-18 ~]# quotaon /tmp/test/ -u # open quota service ``` the quota setting is like below: user "test" can not use disk space which size exceed 10K. ``` Disk quotas for user test (uid 1000): Filesystem blocks soft hard inodes soft hard /dev/loop0 0 10 10 0 0 0 ``` 2. verify the quota limit using "dd" ``` [root@vm10-50-0-18 ~]# su - test 上一次登录:六 10月 9 18:14:31 CST 2021pts/1 上 [test@vm10-50-0-18 ~]$ dd if=/dev/zero of=/tmp/test/id bs=20K count=1 loop0: write failed, user block limit reached. # yes,this limit is as expected dd: error writing ‘/tmp/test/id’: Disk quota exceeded 1+0 records in 0+0 records out 8192 bytes (8.2 kB) copied, 0.000221445 s, 37.0 MB/s ``` this result is as expected: "test" user can not write file whose size is more than 10K. 3. verify the quota limit using "truncate" ``` [test@vm10-50-0-18 test]$ truncate -s 10T id [test@vm10-50-0-18 test]$ ll -h id -rw-rw-r-- 1 test test 10T Oct 9 17:16 id ``` actual results is: "test" user can create file whose size is 10T, larger more than 10K expected result is: like "dd result" above, "test" user can not write file whose size is more than 10K. -- You may reply to this email to add a comment. You are receiving this mail because: You are watching the assignee of the bug.