Index | Thread | Search

From:
Philip Guenther <guenther@gmail.com>
Subject:
Fwd: bogus UFS readdir
To:
tech-openbsd <tech@openbsd.org>
Date:
Mon, 1 Jan 2024 23:54:55 -0800

Download raw body.

Thread

  • Ali Farzanrad:

    bogus UFS readdir

    • Philip Guenther:

      bogus UFS readdir

Sigh, should have replied-all on this.

---------- Forwarded message ---------
From: Philip Guenther <guenther@gmail.com>
Date: Mon, Jan 1, 2024 at 3:32 PM
Subject: Re: bogus UFS readdir
To: Ali Farzanrad <ali_farzanrad@riseup.net>


On Mon, Jan 1, 2024 at 9:23 AM Ali Farzanrad <ali_farzanrad@riseup.net>
wrote:

> Philip Guenther <guenther@gmail.com> wrote:
>
...

> > Checking for d_namlen > d_reclen is fsck's job, adding it here is not
> > useful.
>
> I always expected that the safest way to mount an unknown USB disk would
> be a simple command: mount -o ro,nodev,nosuid,noexec /dev/sdXY /mnt
>

Nope.  That hasn't been the case in any version of OpenBSD or its
predecessor BSDs.  I don't even think it's the case that "fsck -f" is
guaranteed to fail on every file system that can crash the kernel, though I
would probably assume it for FAT filesystems.


And I think many would think that it should be safe.
> I think it is unfair if I get unauthorized Kernel Memory read if I
> forget to fsck a USB disk before mounting it!
>

I'm not sure what you mean by 'unfair', as it _sounds_ like you're saying
that you object to others giving you something for free if you disagree
with any of the limitations in what they provided, whether or not they had
what they felt were good reasons for those limitations.

Multiple software engineering groups over the past 50 years have disagreed
and felt that splitting out the functionality of fsck is a better
engineering choice.   I'm sure there are groups of users for whom that
limitation is not the right choice, but at the current time and for the
expected future, OpenBSD and FFS will have the limitation that mounting a
random untrusted filesystem is NOT SAFE and failing to fsck a filesystem
that you _do_ trust but that wasn't unmounted clearly or that may have been
corrupted is also unsafe.

If you feel strongly about this, then OpenBSD is not a good choice for you
at this time.

If you want to do something about it, then the work to actually design and
implement a filesystem for which no input can crash the kernel and which
meets the requirements of a production product is probably at least a
masters-level effort in some graduate-level CS department.


Philip Guenther