On Thu, May 10, 2012 at 10:01:19AM +0200, Jan Kara wrote: > Generally, when the directory structure is corrupted so that cycles are > created, our locking protocol is prone to deadlocks. This is somewhat > unpleasant if you have a system where you allow mounting untrusted media. > So my question is: Do we care? And if yes, how to best fix this? My naive > idea would be that we could check in d_instantiate() whether we are > creating a directory dentry and if yes, check that inode is not already > attached to a directory hierarchy (i.e. effectively forbid directory > hardlinks). But this might be a bit tricky given dentry aliases. So what > are your thoughts? Besides being a potential security problem, two other possible considerations come to my mind. Not saying that either of these need necessarily be big concern, just my thoughts: * I think it could be sensibly argued that a filesystem implementation where the flipping of a single bit in a filesystem image can cause a deadlock is not very robust, i.e. this could plausibly happen without any malice; * From testing perspective, and especially fuzz testing perspective, the tolerated presence of such flaws makes finding other, unrelated problems harder. Sami
Attachment:
signature.asc
Description: Digital signature
