From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Eryu Guan <eguan@redhat.com>
Cc: ocfs2-devel@oss.oracle.com, fstests@vger.kernel.org
Subject: Re: [PATCH 7/7] xfs/ext4: check negative inode size
Date: Tue, 13 Dec 2016 13:49:32 -0800 [thread overview]
Message-ID: <20161213214932.GD6366@birch.djwong.org> (raw)
In-Reply-To: <20161212110721.GC29149@eguan.usersys.redhat.com>
On Mon, Dec 12, 2016 at 07:07:21PM +0800, Eryu Guan wrote:
> On Sun, Dec 11, 2016 at 01:53:28PM -0800, Darrick J. Wong wrote:
> > Craft a malicious filesystem image with a negative inode size,
> > then try to trigger a kernel DoS by appending data to the file.
> > Ideally this should trigger verifier errors instead of hanging.
> >
> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > ---
> > tests/ext4/400 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/ext4/401 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/ext4/group | 2 ++
> > tests/xfs/400 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/xfs/401 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/xfs/group | 2 ++
> > 6 files changed, 290 insertions(+)
> > create mode 100755 tests/ext4/400
> > create mode 100755 tests/ext4/401
> > create mode 100755 tests/xfs/400
> > create mode 100755 tests/xfs/401
> >
> >
> > diff --git a/tests/ext4/400 b/tests/ext4/400
> > new file mode 100755
> > index 0000000..5857549
> > --- /dev/null
> > +++ b/tests/ext4/400
> > @@ -0,0 +1,71 @@
> > +#! /bin/bash
> > +# FSQA Test No. 400
> > +#
> > +# Since loff_t is a signed type, it is invalid for a filesystem to load
> > +# an inode with i_size = -1ULL. Unfortunately, nobody checks this,
> > +# which means that we can trivially DoS the VFS by creating such a file
> > +# and appending to it. This causes an integer overflow in the routines
> > +# underlying writeback, which results in the kernel locking up.
>
> The only difference between ext4/400 and ext4/401 is that 400 makes
> i_size=-1 and 401 makes it 0xFFFFFFFFFFFFFE00, while xfs/400 and xfs/401
> both create XFS with i_size -1. Is 0xFFFFFFFFFFFFFE00 a typo? Or update
> the description accordingly if they are two different tests?
The 0xFFFFFFFFFFFFFE00 rounds the file size down to a multiple of 512
so that we can do the directio... which means that xfs/401 is buggy.
Good catch!
Hmmm, no golden output either. WTF? :)
> And I noticed that 400 is doing buffered I/O and 401 is doing direct
> I/O, can the two be folded in one test?
<shrug> They're testing different code paths (at least with pre-iomap
filesystems) so I prefer they stay separate.
> > +#
> > +#-----------------------------------------------------------------------
> > +# Copyright (c) 2016-2017 Oracle, Inc. All Rights Reserved.
> > +#
> > +# This program is free software; you can redistribute it and/or
> > +# modify it under the terms of the GNU General Public License as
> > +# published by the Free Software Foundation.
> > +#
> > +# This program is distributed in the hope that it would be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > +# GNU General Public License for more details.
> > +#
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program; if not, write the Free Software Foundation,
> > +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
> > +#-----------------------------------------------------------------------
> > +
> > +seq=`basename $0`
> > +seqres=$RESULT_DIR/$seq
> > +echo "QA output created by $seq"
> > +
> > +PIDS=""
> > +tmp=/tmp/$$
> > +status=1 # failure is the default!
> > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > +
> > +_cleanup()
> > +{
> > + rm -f $tmp.*
> > +}
> > +
> > +# get standard environment, filters and checks
> > +. ./common/rc
> > +. ./common/filter
> > +
> > +# real QA test starts here
> > +_supported_os Linux
> > +_supported_fs ext2 ext3 ext4
>
> Then it belongs to shared :)
Ah, so that's what tests/shared/ is for. I've been wondering that for
a long time.
--D
> Thanks,
> Eryu
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
WARNING: multiple messages have this Message-ID (diff)
From: Darrick J. Wong <darrick.wong@oracle.com>
To: Eryu Guan <eguan@redhat.com>
Cc: ocfs2-devel@oss.oracle.com, fstests@vger.kernel.org
Subject: [Ocfs2-devel] [PATCH 7/7] xfs/ext4: check negative inode size
Date: Tue, 13 Dec 2016 13:49:32 -0800 [thread overview]
Message-ID: <20161213214932.GD6366@birch.djwong.org> (raw)
In-Reply-To: <20161212110721.GC29149@eguan.usersys.redhat.com>
On Mon, Dec 12, 2016 at 07:07:21PM +0800, Eryu Guan wrote:
> On Sun, Dec 11, 2016 at 01:53:28PM -0800, Darrick J. Wong wrote:
> > Craft a malicious filesystem image with a negative inode size,
> > then try to trigger a kernel DoS by appending data to the file.
> > Ideally this should trigger verifier errors instead of hanging.
> >
> > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
> > ---
> > tests/ext4/400 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/ext4/401 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/ext4/group | 2 ++
> > tests/xfs/400 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/xfs/401 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
> > tests/xfs/group | 2 ++
> > 6 files changed, 290 insertions(+)
> > create mode 100755 tests/ext4/400
> > create mode 100755 tests/ext4/401
> > create mode 100755 tests/xfs/400
> > create mode 100755 tests/xfs/401
> >
> >
> > diff --git a/tests/ext4/400 b/tests/ext4/400
> > new file mode 100755
> > index 0000000..5857549
> > --- /dev/null
> > +++ b/tests/ext4/400
> > @@ -0,0 +1,71 @@
> > +#! /bin/bash
> > +# FSQA Test No. 400
> > +#
> > +# Since loff_t is a signed type, it is invalid for a filesystem to load
> > +# an inode with i_size = -1ULL. Unfortunately, nobody checks this,
> > +# which means that we can trivially DoS the VFS by creating such a file
> > +# and appending to it. This causes an integer overflow in the routines
> > +# underlying writeback, which results in the kernel locking up.
>
> The only difference between ext4/400 and ext4/401 is that 400 makes
> i_size=-1 and 401 makes it 0xFFFFFFFFFFFFFE00, while xfs/400 and xfs/401
> both create XFS with i_size -1. Is 0xFFFFFFFFFFFFFE00 a typo? Or update
> the description accordingly if they are two different tests?
The 0xFFFFFFFFFFFFFE00 rounds the file size down to a multiple of 512
so that we can do the directio... which means that xfs/401 is buggy.
Good catch!
Hmmm, no golden output either. WTF? :)
> And I noticed that 400 is doing buffered I/O and 401 is doing direct
> I/O, can the two be folded in one test?
<shrug> They're testing different code paths (at least with pre-iomap
filesystems) so I prefer they stay separate.
> > +#
> > +#-----------------------------------------------------------------------
> > +# Copyright (c) 2016-2017 Oracle, Inc. All Rights Reserved.
> > +#
> > +# This program is free software; you can redistribute it and/or
> > +# modify it under the terms of the GNU General Public License as
> > +# published by the Free Software Foundation.
> > +#
> > +# This program is distributed in the hope that it would be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > +# GNU General Public License for more details.
> > +#
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program; if not, write the Free Software Foundation,
> > +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
> > +#-----------------------------------------------------------------------
> > +
> > +seq=`basename $0`
> > +seqres=$RESULT_DIR/$seq
> > +echo "QA output created by $seq"
> > +
> > +PIDS=""
> > +tmp=/tmp/$$
> > +status=1 # failure is the default!
> > +trap "_cleanup; exit \$status" 0 1 2 3 15
> > +
> > +_cleanup()
> > +{
> > + rm -f $tmp.*
> > +}
> > +
> > +# get standard environment, filters and checks
> > +. ./common/rc
> > +. ./common/filter
> > +
> > +# real QA test starts here
> > +_supported_os Linux
> > +_supported_fs ext2 ext3 ext4
>
> Then it belongs to shared :)
Ah, so that's what tests/shared/ is for. I've been wondering that for
a long time.
--D
> Thanks,
> Eryu
> --
> To unsubscribe from this list: send the line "unsubscribe fstests" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-12-13 21:49 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-11 21:52 [PATCH 0/7] xfstests: misc reflink test fixes Darrick J. Wong
2016-12-11 21:52 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-11 21:52 ` [PATCH 1/7] ocfs2: test reflinking to inline data files Darrick J. Wong
2016-12-11 21:52 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-12 9:01 ` Eryu Guan
2016-12-12 18:09 ` Darrick J. Wong
2016-12-12 18:09 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-13 3:20 ` Eryu Guan
2016-12-13 7:11 ` Darrick J. Wong
2016-12-13 7:11 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-13 21:35 ` Darrick J. Wong
2016-12-13 21:35 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-14 7:32 ` Eric Ren
2016-12-14 7:32 ` [Ocfs2-devel] " Eric Ren
2016-12-11 21:52 ` [PATCH 2/7] ocfs2/reflink: fix file block size reporting Darrick J. Wong
2016-12-11 21:52 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-12 9:48 ` Eryu Guan
2016-12-12 23:08 ` Darrick J. Wong
2016-12-12 23:08 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-11 21:53 ` [PATCH 3/7] reflink: fix quota tests to work properly Darrick J. Wong
2016-12-11 21:53 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-12 10:06 ` Eryu Guan
2016-12-12 23:08 ` Darrick J. Wong
2016-12-12 23:08 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-11 21:53 ` [PATCH 4/7] reflink: fix space consumption tests Darrick J. Wong
2016-12-11 21:53 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-12 10:25 ` Eryu Guan
2016-12-12 23:03 ` Darrick J. Wong
2016-12-12 23:03 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-13 3:22 ` Eryu Guan
2016-12-11 21:53 ` [PATCH 5/7] reflink: make error reporting consistent Darrick J. Wong
2016-12-11 21:53 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-12 10:47 ` Eryu Guan
2016-12-12 23:06 ` Darrick J. Wong
2016-12-12 23:06 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-11 21:53 ` [PATCH 6/7] reflink: don't test disjoint block sharing sets Darrick J. Wong
2016-12-11 21:53 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-11 21:53 ` [PATCH 7/7] xfs/ext4: check negative inode size Darrick J. Wong
2016-12-11 21:53 ` [Ocfs2-devel] " Darrick J. Wong
2016-12-12 11:07 ` Eryu Guan
2016-12-13 21:49 ` Darrick J. Wong [this message]
2016-12-13 21:49 ` [Ocfs2-devel] " Darrick J. Wong
2017-01-05 1:04 [PATCH 0/7] xfstests: misc reflink test fixes Darrick J. Wong
2017-01-05 1:05 ` [PATCH 7/7] xfs/ext4: check negative inode size Darrick J. Wong
2017-01-09 9:36 ` Eryu Guan
2017-01-09 20:36 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161213214932.GD6366@birch.djwong.org \
--to=darrick.wong@oracle.com \
--cc=eguan@redhat.com \
--cc=fstests@vger.kernel.org \
--cc=ocfs2-devel@oss.oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.