#12932 NORM Not Tri: fs-save falsely reports success on vfat targets
Zarro Boogs per Child
bugtracker at laptop.org
Fri Nov 24 08:38:07 EST 2017
#12932: fs-save falsely reports success on vfat targets
---------------------------+---------------------------------------------
Reporter: fatalbert | Owner: dsd
Type: defect | Status: new
Priority: normal | Milestone: Not Triaged
Component: security | Version: Development firmware
Keywords: | Blocked By:
Blocking: | Deployments affected:
Action Needed: never set | Verified: 0
---------------------------+---------------------------------------------
Using an xo-4 touch (with 8gb internal storage) and vfat-formatted target
media (16gb), "fs-save u:\olpc_backup.img" was executed. In the end it
reported success. The "olpc_backup.img" was close to 4gb, which is the
filesize limit of a vfat filesystem (and half the size of the internal
storage).
Is fs-save using compression?
If not, then this is a security bug because the user will have a broken
image and not know that the backup failed until they attempt to do a
restore (after it's too late to troubleshoot and repeat the backup).
If fs-save *is* using compression, then there's no security bug here, but
users need to be informed. That is, when fs-save reports "success", it
should print something like "all data compressed to 4gb file named
olpc_backup.img" for example. This is important because the user has no
safe way to verify whether the imaging worked. Compression or lack
thereof should also be mentioned in the wiki (which I will do as soon as I
get a wiki account).
I believe it's the worst case-- that compression is not used and thus we
have a security-critical unreported failure. I say that because I ran
"strings olpc_backup.img" and there was lots of text that would have been
compressed if compression were used.
--
Ticket URL: <http://dev.laptop.org/ticket/12932>
One Laptop per Child <http://one.laptop.org/>
One Laptop per Child bug tracking system
More information about the Bugs
mailing list