libblkid: (bcachefs) fix not detecting large superblocks#2427
libblkid: (bcachefs) fix not detecting large superblocks#2427karelzak merged 1 commit intoutil-linux:masterfrom
Conversation
t-8ch
left a comment
There was a problem hiding this comment.
This is a nice validation.
Another goal this hardcoded limit achieves is to limit the amount of data that can be read from a malicious disk image. We would loose this goal in the current state.
|
The default maximum size is currently 1MiB, but can be set higher. I'm not sure how big they could realistically get. We could have both this check, and a hard limit at 10MiB or so. I'll get in touch with the bcachefs devs and try to find what an appropriate limit is. |
|
Thanks! Thinking about this some more: |
Probing does not detect bcachefs filesystems with a superblock larger than 4KiB. Bcachefs superblocks grow in size and can become much larger than this. Increase the superblock maximum size limit to 1MiB. Validate the superblock isn't larger than the maximum size defined in the superblocks layout section.
|
I've received advice that 1MiB is fine for the hard limit and restored the check. |
Good question. Now libblkid/src/probe.c: read_buffer() uses ULONG_MAX as the limit, and blkid_probe_get_buffer() checks if the requested area fits into the device. There is no other limit. The question is, what is the right generic limit? IMHO, the ideal is to check for proper limits in the probing functions where we call blkid_probe_get_buffer() and blkid_probe_get_sb_buffer(). The generic limit we can set to something crazy (10MiB? ... not sure) |
|
Maybe 8MiB, it's a nice power-of-two. |
Many probers read data from disk bounded by some field from the probed disk itself. The probers should validate the read length before using. Add a fallback that kicks in when the proper does not check the length epxlicitly. See util-linux#2427 Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
Addresses: #2427 Signed-off-by: Karel Zak <kzak@redhat.com>
Addresses: util-linux#2427 Signed-off-by: Karel Zak <kzak@redhat.com> (cherry picked from commit 17873d3)
The bcachefs probe has a maximum superblock size hardcoded to 4KiB. This is causing it to miss filesystems whose superblock has grown larger than 4KiB. The maximum potential size of the superblock is encoded at a fixed location within the superblock, so this value should be used instead.