Re: [for-linus][PATCH 1/3] eventfs: Have the inodes all for files and directories all be the same

From: Mathieu Desnoyers
Date: Mon Jan 22 2024 - 14:01:29 EST

Next message: Jakub Kicinski: "Re: Kernel panic in netif_rx_internal after v6 pings between netns"
Previous message: Mark Brown: "Re: [GIT PULL] SPI updates for v6.8"
In reply to: Steven Rostedt: "Re: [for-linus][PATCH 1/3] eventfs: Have the inodes all for files and directories all be the same"
Next in thread: Steven Rostedt: "Re: [for-linus][PATCH 1/3] eventfs: Have the inodes all for files and directories all be the same"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 2024-01-22 12:50, Steven Rostedt wrote:

On Mon, 22 Jan 2024 12:14:36 -0500
Mathieu Desnoyers <mathieu.desnoyers@xxxxxxxxxxxx> wrote:

[...]

On my 6.1.0 kernel:

find /sys/kernel/tracing | wc -l
15598

(mainly due to TRACE_EVENT ABI files)

Hashing risks:

- Exposing kernel addresses if the hashing algorithm is broken,

Well this was my biggest concern, but if I truncate at least a nibble, with
the unique salt to the algorithm for each file, how easily does that expose
kernel addresses.

The ei itself, is created from kmalloc() so you would at best get a heap
address. But with the missing nibble (if I mask it with ((1 << 28) - 1),
and much more taken away for 64 bit systems), and the added unique salt, is
it possible for this to expose anything that could be used in an attack?

I don't know, which is why I am concerned about it.

But I don't think we should spend time trying to understand all
possible attack scenarios associated with hashing of kernel addresses
when there are much simpler options available.

- Collisions if users are unlucky (which could trigger those
'find' errors).

Those 15598 inode values fit within a single page (bitmap of
1922 bytes).

So I would recommend simply adding a bitmap per tracefs filesystem
instance to keep track of inode number allocation.

And how do I recover this bit after the inode is freed, but then referenced
again?

You would keep the allocated inode number value within your data
structure associated with the inode.

If you never free inodes, then you can just use a static increment
as Linus suggested. But AFAIU there are cases where you free inodes,
hence my suggestion of bitmap.

When the inode is freed, you know which inode number is associated from
the field in your data structure, so you can clear this bit in the bitmap.

On the next inode allocation, you find-first-zero-bit in the bitmap, and
set it to one to reserve it.

Creation/removal of files/directories in tracefs should not be
a fast-path anyway, so who cares about the speed of a find first
bit within a single page ?

When an inode is no longer referenced, it is freed. When it is referenced
again, I want it to be recreated with the same inode number it had
previously. How would having a bitmask help with that? I need a way to map
an ei structure with a unique number without adding another 4 bytes to the
structure itself.

As discussed in a separate exchange with Linus, why do you care so much about
not adding a 4 bytes field to the structure ?

Thanks,

Mathieu

--
Mathieu Desnoyers
EfficiOS Inc.
https://www.efficios.com

Next message: Jakub Kicinski: "Re: Kernel panic in netif_rx_internal after v6 pings between netns"
Previous message: Mark Brown: "Re: [GIT PULL] SPI updates for v6.8"
In reply to: Steven Rostedt: "Re: [for-linus][PATCH 1/3] eventfs: Have the inodes all for files and directories all be the same"
Next in thread: Steven Rostedt: "Re: [for-linus][PATCH 1/3] eventfs: Have the inodes all for files and directories all be the same"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]