zpool add allows mismatching redundancy after vdev removal #13705

speed47 · 2022-07-29T09:24:10Z

System information

Type	Version/Name
Distribution Name	Ubuntu
Distribution Version	22.04 LTS
Kernel Version	5.15.53 (vanilla)
Architecture	x86_64
OpenZFS Version	2.1.5

Describe the problem you're observing

It is possible to (involuntarily) bypass the "mismatching redundancy" security check of zpool add after a vdev has been removed from the zpool.
This is due to the fact that once indirect vdevs are present, the internal get_replication() check fails, even as the pool has still a correct redundancy. Any subsequent zpool modification command will be allowed even if it actually changes the redundancy as the zpool command will make the assumption that the redundancy is already broken, as per:

zfs/cmd/zpool/zpool_vdev.c

Lines 810 to 821 in e8cf3a4

    
           	/* 
        
           	 * If we have a current pool configuration, check to see if it's 
        
           	 * self-consistent.  If not, simply return success. 
        
           	 */ 
        
           	if (config != NULL) { 
        
           		nvlist_t *nvroot; 
        
           		verify(nvlist_lookup_nvlist(config, ZPOOL_CONFIG_VDEV_TREE, 
        
           		    &nvroot) == 0); 
        
           		if ((current = get_replication(nvroot, B_FALSE)) == NULL) 
        
           			return (0); 
        
           	}

Describe how to reproduce the problem

for i in a b c d e f special; do truncate -s 1G /dev/shm/$i; done
zpool create test mirror /dev/shm/{a,b} mirror /dev/shm/{c,d}
zpool add test special /dev/shm/special # this fails as it should ("mismatched replication level: pool uses mirror and new vdev is file")
zpool add test mirror /dev/shm/{e,f}
zpool remove test mirror-1 # corresponding to /dev/shm/{c,d}
zpool add test special /dev/shm/special # it works, it shouldn't

After the zpool remove, a manual call to get_redundancy() shows failure, while it should report the pool has having a correct redundancy:

invalid vdev specification
use '-f' to override the following errors:
mismatched replication level: both mirror and indirect vdevs are present
mismatched replication level: both indirect and mirror vdevs are present

We end up with this configuration:

# zpool status test
  pool: test
 state: ONLINE
remove: Removal of vdev 1 copied 62.5K in 0h0m, completed on Fri Jul 29 11:19:36 2022
        144 memory used for removed device mappings
config:

        NAME                STATE     READ WRITE CKSUM
        test                ONLINE       0     0     0
          mirror-0          ONLINE       0     0     0
            /dev/shm/a      ONLINE       0     0     0
            /dev/shm/b      ONLINE       0     0     0
          mirror-2          ONLINE       0     0     0
            /dev/shm/e      ONLINE       0     0     0
            /dev/shm/f      ONLINE       0     0     0
        special 
          /dev/shm/special  ONLINE       0     0     0

...which is highly dangerous, and we didn't override any check by using -f at any point.

The text was updated successfully, but these errors were encountered:

speed47 · 2022-07-29T23:47:24Z

This fixes the problem, but I'm not sure if it's okay to just ignore indirect vdevs entirely for the redundancy check. I'll have to run the ZFS tests to be sure.
master...speed47:zfs:zpool_redundancy

The presence of indirect vdevs was confusing get_redundancy(), which considered a pool with e.g. only mirror top-level vdevs and at least one indirect vdev (due to the removal of a previous vdev) as already having a broken redundancy, which is not the case. This lead to the possibility of compromising the redundancy of a pool by adding mismatched vdevs without requiring the use of `-f`, and with no visible notice or warning. Signed-off-by: Stéphane Lesimple <speed47_github@speed47.net> Closes openzfs#13705

The presence of indirect vdevs was confusing get_redundancy(), which considered a pool with e.g. only mirror top-level vdevs and at least one indirect vdev (due to the removal of a previous vdev) as already having a broken redundancy, which is not the case. This lead to the possibility of compromising the redundancy of a pool by adding mismatched vdevs without requiring the use of `-f`, and with no visible notice or warning. Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Stéphane Lesimple <speed47_github@speed47.net> Closes openzfs#13705 Closes openzfs#13711

speed47 added the Type: Defect Incorrect behavior (e.g. crash, hang) label Jul 29, 2022

speed47 mentioned this issue Jul 31, 2022

zpool: fix redundancy check after vdev removal #13711

Merged

13 tasks

behlendorf closed this as completed in 4fc1ea9 Aug 5, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

zpool add allows mismatching redundancy after vdev removal #13705

zpool add allows mismatching redundancy after vdev removal #13705

speed47 commented Jul 29, 2022 •

edited

Loading

speed47 commented Jul 29, 2022

zpool add allows mismatching redundancy after vdev removal #13705

zpool add allows mismatching redundancy after vdev removal #13705

Comments

speed47 commented Jul 29, 2022 • edited Loading

System information

Describe the problem you're observing

Describe how to reproduce the problem

speed47 commented Jul 29, 2022

speed47 commented Jul 29, 2022 •

edited

Loading