On Tue, Jul 27, 2021 at 04:56:41PM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <djwong@xxxxxxxxxx> > > While reviewing the buffer item recovery code, the thought occurred to > me: in V5 filesystems we use log sequence number (LSN) tracking to avoid > replaying older metadata updates against newer log items. However, we > use the magic number of the ondisk buffer to find the LSN of the ondisk > metadata, which means that if an attacker can control the layout of the > realtime device precisely enough that the start of an rt bitmap block > matches the magic and UUID of some other kind of block, they can control > the purported LSN of that spoofed block and thereby break log replay. > > Since realtime bitmap and summary blocks don't have headers at all, we > have no way to tell if a block really should be replayed. The best we > can do is replay unconditionally and hope for the best. > > Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx> > --- > fs/xfs/xfs_buf_item_recover.c | 14 ++++++++++++-- > 1 file changed, 12 insertions(+), 2 deletions(-) Looks good now. Reviewed-by: Dave Chinner <dchinner@xxxxxxxxxx> -- Dave Chinner david@xxxxxxxxxxxxx
