Back when I was poking around with filesystem fuzzing stuff years back, I noticed something odd:

Will Dormann

An EXT filesystem can tell the Linux OS how it should behave "if" the filesystem is corrupt, including triggering a kernel panic. In a world where USB thumb drives exist, this seems... not ideal.

Let's see what happens if we plug such a mass storage device into a fully patched Chromebook in 2024...

Oh.

Will Dormann

The man page for tune2fs is pretty clear about this capability.

The person who writes the data to the USB mass storage device can specify that both:
1) The OS that reads the device should panic if the filesystem has an error.
2) The filesystem has an error.

‍️

chort ↙️↙️↙️

@wdormann It's funny (and rather cringe-inducing) to us infosec folks, but to 99% of developers they will always say "why would anyone do that?"

The vast majority just truly have no concept that anyone might want to act maliciously. If the engineer themself wouldn't perform a malicious action, they cannot conceive that anyone else would.

I have run into this issue so many times during my career. I now assume that no engineer will ever consider possible malicious actions taken against their code. To the extent that they do consider malicious actions, it will only be things that they themselves would do.

Terence Eden

@wdormann given that some devices will boot from USB if present, would it be possible to make a stick which causes the OS to panic, but the UEFI to mount & run?

Will Dormann

Modern Linux distros aren't really affected by this. At least in a drive-by sense. Auto-mounting is handled in a safer way than simply telling the kernel to mount the filesystem you just plugged in.

For example, compare the Ubuntu 22.04 behavior (complain that the filesystem is corrupt) vs. Ubuntu 20.04 (panic and reboot). For modern Linux to see the panic, you'd have to manually mount the filesystem (as root/sudo).

ChromeOS, on the other hand, chooses the more YOLO route of auto-mounting via the kernel.