Hi Qu,
I will go a bit off topic, because I am interested more in the understanding of the btrees than the topic of this thread
On 5/5/20 11:26 AM, Qu Wenruo wrote:
[...]
My personal idea on this swap-tree attack is, the first key, generation,
bytenr protection can prevent such case.
The protection chain begins from superblock, and ends at the leaf tree
blocks, as long as superblock is also protected by hmac hash, it should
be safe.
Btrfs protects parent-child relationship by:
- Parent has the pointer (bytenr) of its child
The main protection. If attacker wants to swap one tree block, it must
change the parent tree block.
The parent is either a tree block (parent node), or root item in root
tree, or a super block.
All protected by hmac csum. Thus attack can only do such attach by
knowing the key.
- Parent has the first key of its child
Unlike previous one, this is just an extra check, no extra protection.
And root item doesn't contain the first key.
It always true ? When a key is inserted, we update the key of the parent to be equal to the first of the (right) child. However when a key is removed, this should be not mandatory. Is it enough that the parent key is greater (or equal) than the first key of the left node, and lesser than the last of the right node ?
Supposing to have
10
/ \
1 2 3 4 5 10 11 12 13
If you remove 10 in the right child node, is it mandatory to updated the '10' in the parent node (to 11) ?
[...]
--
gpg @keyserver.linux.it: Goffredo Baroncelli <kreijackATinwind.it>
Key fingerprint BBF5 1610 0B64 DAC6 5F7D 17B2 0EDA 9B37 8B82 E0B5
