logo

XFS_IOC_ALLOCSP Stale Disk Exposure Vulnerability

Yes:


	int ret = fallocate(fd, 0, offset, len);
	...

No:


	struct xfs_flock64 fl = {
		.l_whence = SEEK_SET,
		.l_start = offset,
	};
	int ret = ioctl(fd, XFS_IOC_ALLOCSP, &fl);
	...

Why?

ALLOCSP is an old ioctl from the previous host of XFS. It was added in the early 1990s before XFS (or anything) supported unwritten extents, so it would simply allocate a block, map it to a file, zero the appropriate parts of the page cache, and flush the cache to ensure the block was written.

Fast forward to 2021 where we can perform preallocation of storage with the unwritten flag, and (at least on Linux) moving a file EOF pointer doesn't necessarily involve creating a page cache entry and filling it with zeroes. This breaks that last thing if you get the timing just right, and then a re-read of the file can dredge up old disk contents.

Instead of mitigating this, we're simply removing the old ioctl. It turns out that we've told everyone to use fallocate for 15+ years, and fallocate does this correctly. Also it turned out that nobody was actually QAing the old call, so all the better it just go away.


Last modified 20 December 2021.