From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Gao Xiang <hsiangkao@redhat.com>
Cc: fstests <fstests@vger.kernel.org>
Subject: Re: [PATCH v2] xfs: add test for CVE-2020-12655
Date: Tue, 23 Jun 2020 08:23:52 -0700 [thread overview]
Message-ID: <20200623152352.GA7600@magnolia> (raw)
In-Reply-To: <20200623020447.5924-1-hsiangkao@redhat.com>
On Tue, Jun 23, 2020 at 10:04:47AM +0800, Gao Xiang wrote:
> Add a regression test to see if kernel hangs in order to
> look after CVE-2020-12655 and check if the corresponding
> fix is applied as well.
>
> Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
> ---
> changes since v1:
> add "Metadata corruption" dmesg check as an auxiliary for specific kernel
>
> tests/xfs/520 | 87 +++++++++++++++++++++++++++++++++++++++++++++++
> tests/xfs/520.out | 2 ++
> tests/xfs/group | 1 +
> 3 files changed, 90 insertions(+)
> create mode 100755 tests/xfs/520
> create mode 100644 tests/xfs/520.out
>
> diff --git a/tests/xfs/520 b/tests/xfs/520
> new file mode 100755
> index 00000000..9e21579e
> --- /dev/null
> +++ b/tests/xfs/520
> @@ -0,0 +1,87 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved.
> +#
> +# FS QA Test 520
> +#
> +# Verify kernel doesn't hang when mounting a crafted image
> +# with bad agf.freeblks metadata due to CVE-2020-12655.
> +#
> +# Also, check if
> +# commit d0c7feaf8767 ("xfs: add agf freeblocks verify in xfs_agf_verify")
> +# is included in the current kernel.
> +#
> +seq=`basename $0`
> +seqres=$RESULT_DIR/$seq
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1 # failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> + cd /
> + rm -f $tmp.*
> + _scratch_unmount > /dev/null 2>&1
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +
> +# remove previous $seqres.full before test
> +rm -f $seqres.full
> +
> +# real QA test starts here
> +
> +# Modify as appropriate.
> +_supported_fs xfs
> +_supported_os Linux
> +_disable_dmesg_check
> +_require_check_dmesg
> +_require_scratch_nocheck
> +
> +force_crafted_metadata() {
> + _scratch_mkfs_xfs -f $fsdsopt "$4" >> $seqres.full 2>&1 || _fail "mkfs failed"
> + _scratch_xfs_set_metadata_field "$1" "$2" "$3" >> $seqres.full 2>&1
> + local kmsg="xfs/$seq: testing $1=$2 at $(date +"%F %T")"
> + local mounted=0
> + local hasmsg=0
> +
> + echo "${kmsg}" > /dev/kmsg
> + _try_scratch_mount >> $seqres.full 2>&1 && mounted=1
> +
> + if [ $mounted -ne 0 ]; then
> + dd if=/dev/zero of=$SCRATCH_MNT/test bs=65536 count=1 >> \
> + $seqres.full 2>&1
> + sync
> + fi
> +
> + _dmesg_since_test_start | tac | sed -ne "0,\#${kmsg}#p" | tac | \
> + egrep -q 'Metadata corruption detected at' && hasmsg=1
> +
> + _scratch_unmount > /dev/null 2>&1
> + [ $mounted -eq 0 -o $hasmsg -eq 1 ] && return
> + _fail "potential broken kernel"
Could you print both variables in the error message so that it's easier
to figure out where exactly we went wrong?
> +}
> +
> +bigval=100000000
> +fsdsopt="-d agcount=1,size=64m"
> +
> +force_crafted_metadata freeblks 0 "agf 0"
> +force_crafted_metadata longest $bigval "agf 0"
> +force_crafted_metadata length $bigval "agf 0"
> +
> +_scratch_mkfs_xfs_supported -m reflink=1 >> $seqres.full 2>&1 && \
> + force_crafted_metadata refcntblocks $bigval "agf 0" "-m reflink=1"
> +
> +_scratch_mkfs_xfs_supported -m rmapbt=1 >> $seqres.full 2>&1 && \
> + force_crafted_metadata rmapblocks $bigval "agf 0" "-m rmapbt=1"
> +
> +echo "Silence is golden"
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/xfs/520.out b/tests/xfs/520.out
> new file mode 100644
> index 00000000..2a59b872
> --- /dev/null
> +++ b/tests/xfs/520.out
> @@ -0,0 +1,2 @@
> +QA output created by 520
> +Silence is golden
> diff --git a/tests/xfs/group b/tests/xfs/group
> index daf54add..433f04d0 100644
> --- a/tests/xfs/group
> +++ b/tests/xfs/group
> @@ -517,3 +517,4 @@
> 517 auto quick fsmap freeze
> 518 auto quick quota
> 519 auto quick reflink
> +520 auto quick reflink dangerous
Hmmm... I guess the fix has been out for a while, so it's less shocking
to put a dangerous test in the auto group?
--D
> --
> 2.18.1
>
next prev parent reply other threads:[~2020-06-23 15:24 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-19 13:44 [PATCH] xfs: add test for CVE-2020-12655 Gao Xiang
2020-06-23 2:04 ` [PATCH v2] " Gao Xiang
2020-06-23 15:23 ` Darrick J. Wong [this message]
2020-06-23 15:30 ` Gao Xiang
2020-06-24 1:06 ` [PATCH v3] " Gao Xiang
2020-06-24 15:18 ` Darrick J. Wong
2020-06-25 3:15 ` Gao Xiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200623152352.GA7600@magnolia \
--to=darrick.wong@oracle.com \
--cc=fstests@vger.kernel.org \
--cc=hsiangkao@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).