Subject: Re: new kpi proposal, sysdisk(9)
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: tech-kern
Date: 12/30/2006 19:16:00
--bCsyhTFzCvuiizWE
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 30, 2006 at 02:50:29PM -0500, Thor Lancelot Simon wrote:
> On Fri, Dec 29, 2006 at 10:15:25PM -0800, Bill Studenmund wrote:
> >=20
> > You did make that clear. However I don't understand why you want to lim=
it=20
> > access to the whole disk.
> >=20
> > Either raw access to the partition is bounded to within the partition o=
r I=20
> > don't understand something. If it's bounded, and the partition doesn't=
=20
> > overlap anything, I don't see what the harm is.
>=20
> You can't know where on the disk the datastructure that actually defines
> the partition boundaries is kept, in an MI way.  There are a large number
> of fairly subtle attacks that take advantage of this problem: for example,
> changing the boundaries of two mounted filesystems so they overlap one
> another, and tricking the kernel into corrupting one or the other of them
> in a way that lets you increase privilege.

I'm not sure if this attack will really work. At least not with disklabel=
=20
partitioning. Yes, if we can get the kernel to change the partitioning of=
=20
a live disk, we can cause all sorts of issues. But I think there's another=
=20
part of the problem that has to be open for it to work.

The main reason I think this is that we only read the on-disk disk label=20
when we go from 0 open partitions to one open partition. Same thing for=20
wedges, as I understand them. So while you could change the partitioning=20
info on disk when something's open, I don't see how you can get that new=20
partitioning used while something's open.

Wedges don't overlap right now, so even though you could get the kernel to=
=20
find new wedges with something open, they'd have to not overlap.

Now, with disklabels, you can load a brand new disklabel into the kernel=20
(I hope it complains, but I am not sure). But if you can do that, you can=
=20
do anything. That door we must close. :-)

> If you put your mind to it, I don't think you'll have trouble thinking of
> other ways to exploit access to "some arbitrary part of the disk, so long
> as it's not mounted now" to overwrite "what's mounted now".

I'm not getting there. Please, help me figure out more. I'm working out a=
=20
list in my head of stuff that needs doing in this area, and I'd like more=
=20
ideas. :-)

Take care,

Bill

--bCsyhTFzCvuiizWE
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (NetBSD)

iD8DBQFFlytwWz+3JHUci9cRAgXgAJ9C7ACkdORVWChq5GyIK7cegQTDUQCeLE8p
2xDmNtpGzZjaOmAJomb43yA=
=U5SO
-----END PGP SIGNATURE-----

--bCsyhTFzCvuiizWE--