Re: [RFC] i_generation numbers.
G. Allen Morris III (gam3@ixlabs.com)
Mon, 20 Sep 1999 00:05:47 -0700
>>>Neil Brown said:
> Well, my comment is that I'm not sure what you are trying to achieve.
>
> Your comments seem to suggest that an attacker might know (or be able
> to easily guess) the sequence number part of generation number, and
> that the random part was there to make it harder.
> To my mind, a better/simpler approach is that taken by the original
> BSD, and use fsirand (or similar) to give each inode a random starting
> point. Then simply incrmement this number each time the inode is
> reused.
> A reasonable simple "lazy" way to do this in ext2fs would be something
> like:
>
> if (!inode->i_generation)
> inode->i_generation = net_random()|1;
> else while (! ++inode->i_generation);
> which sets it randomly (but non zero) the first time, and then
> increments skipping 0.
>
> You then have 31 bits of randomness and 32 bits of uniqueness.
>
> Or was there something else that you were hoping to achieve that I
> missed?
Here is an attack of the above system.
1. Open a few thousand files.
2. Save the the filehandles for each of these files.
3. delete all the the files created above.
4. Incriment the the generation number in each of the
saved filehandle.
5. Try to read files using the above filehandles. If this
does not give you ESTALE you have opened a file that
someone else created.
Also 2^32 is not a very big number. It would be nice to be able
to tell the difference between a stale filehandle and an attack.
---------------------------------
G. Allen Morris III
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/