Hello,
On Fri, Sep 24, 2021 at 04:06:10PM +0300, Reco wrote:
> On Fri, Sep 24, 2021 at 01:59:58PM +0200, to...@tuxteam.de wrote:
> > Back then you could more or less safely assume that a file system
> > image wasn't out to kill you. These days, though...
>
> Oh. Citation needed. Curious minds want to know.
I've repeatedly read kernel developers say that there are no safety
guarantees about mounting a filesystem that someone else has made.
In this article, Theodore TS'o (the primary developer of ext*) is
quoted as saying that ext4 and XFS currently aren't safe in that
regard:
https://lwn.net/Articles/796687/
> How exactly one can produce a filesystem image that tries to get you?
You would craft invalid metadata that caused bad things to happen
when it's mounted. Just because the kernel can't make such metadata
itself doesn't mean that an attacker can't write it to an image.
The article is about a new filesystem, where it was pointed out that
it would be trivial to craft an image that crashed the kernel. That
was considered a bug and fixed, but existing Linux filesystem
developers admit that there are similar bugs in incredibly popular
existing filesystems on Linux, so to demand that a new filesystem
didn't have that problem would be a double standard. Others
preferred to see it as standards being raised.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
