On Fri, 27 Sep 2024, Sami Tolvanen wrote:
> > See for example openssh, the function read_config_file_depth. There is:
> >
> > while (getline(&line, &linesize, f) != -1) {
> > ... process_config_line_depth
> > }
> > free(line);
> > fclose(f)
> > if (bad_options > 0)
> > fatal("%s: terminating, %d bad configuration options",
> > filename, bad_options);A
> > return 1;
> >
> > So, the function doesn't distinguish between error and eof. If reading the
> > config file returns -EIO, the function exits with 1 as if the file was
> > empty.
>
> Sounds like OpenSSH's threat model doesn't include an attacker who can
> trigger arbitrary I/O errors. If you want dm-verity to protect against
> this, why not add a new restart_on_errors flag instead of changing the
> semantics of the restart_on_corruption flag and risk breaking existing
> users?
>
> Sami
The dm-verity behavior was reported as a security bug, so by default, it
should behave in the secure way - i.e. restart or panic on I/O error.
Do you intend to use dm-verity in Android and ChromeOS in the less-secure
way where it returns -EIO? Have you audited the Android and ChromeOS
codebase so that -EIO can't cause security breach? If yes, I can make a
configuration switch for you that will enable the old behavior.
Mikulas
