Re: [PATCH v2] xfs: add test for CVE-2020-12655

["Darrick J. Wong" <darrick.wong@oracle.com>]

On Tue, Jun 23, 2020 at 10:04:47AM +0800, Gao Xiang wrote:
> Add a regression test to see if kernel hangs in order to
> look after CVE-2020-12655 and check if the corresponding
> fix is applied as well.
> 
> Signed-off-by: Gao Xiang <hsiangkao@redhat.com>
> ---
> changes since v1:
>  add "Metadata corruption" dmesg check as an auxiliary for specific kernel
> 
>  tests/xfs/520     | 87 +++++++++++++++++++++++++++++++++++++++++++++++
>  tests/xfs/520.out |  2 ++
>  tests/xfs/group   |  1 +
>  3 files changed, 90 insertions(+)
>  create mode 100755 tests/xfs/520
>  create mode 100644 tests/xfs/520.out
> 
> diff --git a/tests/xfs/520 b/tests/xfs/520
> new file mode 100755
> index 00000000..9e21579e
> --- /dev/null
> +++ b/tests/xfs/520
> @@ -0,0 +1,87 @@
> +#! /bin/bash
> +# SPDX-License-Identifier: GPL-2.0
> +# Copyright (c) 2020 Red Hat, Inc.  All Rights Reserved.
> +#
> +# FS QA Test 520
> +#
> +# Verify kernel doesn't hang when mounting a crafted image
> +# with bad agf.freeblks metadata due to CVE-2020-12655.
> +#
> +# Also, check if
> +# commit d0c7feaf8767 ("xfs: add agf freeblocks verify in xfs_agf_verify")
> +# is included in the current kernel.
> +#
> +seq=`basename $0`
> +seqres=$RESULT_DIR/$seq
> +echo "QA output created by $seq"
> +
> +here=`pwd`
> +tmp=/tmp/$$
> +status=1	# failure is the default!
> +trap "_cleanup; exit \$status" 0 1 2 3 15
> +
> +_cleanup()
> +{
> +	cd /
> +	rm -f $tmp.*
> +	_scratch_unmount > /dev/null 2>&1
> +}
> +
> +# get standard environment, filters and checks
> +. ./common/rc
> +. ./common/filter
> +
> +# remove previous $seqres.full before test
> +rm -f $seqres.full
> +
> +# real QA test starts here
> +
> +# Modify as appropriate.
> +_supported_fs xfs
> +_supported_os Linux
> +_disable_dmesg_check
> +_require_check_dmesg
> +_require_scratch_nocheck
> +
> +force_crafted_metadata() {
> +	_scratch_mkfs_xfs -f $fsdsopt "$4" >> $seqres.full 2>&1 || _fail "mkfs failed"
> +	_scratch_xfs_set_metadata_field "$1" "$2" "$3" >> $seqres.full 2>&1
> +	local kmsg="xfs/$seq: testing $1=$2 at $(date +"%F %T")"
> +	local mounted=0
> +	local hasmsg=0
> +
> +	echo "${kmsg}" > /dev/kmsg
> +	_try_scratch_mount >> $seqres.full 2>&1 && mounted=1
> +
> +	if [ $mounted -ne 0 ]; then
> +		dd if=/dev/zero of=$SCRATCH_MNT/test bs=65536 count=1 >> \
> +			$seqres.full 2>&1
> +		sync
> +	fi
> +
> +	_dmesg_since_test_start | tac | sed -ne "0,\#${kmsg}#p" | tac | \
> +		egrep -q 'Metadata corruption detected at' && hasmsg=1
> +
> +	_scratch_unmount > /dev/null 2>&1
> +	[ $mounted -eq 0 -o $hasmsg -eq 1 ] && return
> +	_fail "potential broken kernel"

Could you print both variables in the error message so that it's easier
to figure out where exactly we went wrong?

> +}
> +
> +bigval=100000000
> +fsdsopt="-d agcount=1,size=64m"
> +
> +force_crafted_metadata freeblks 0 "agf 0"
> +force_crafted_metadata longest $bigval "agf 0"
> +force_crafted_metadata length $bigval "agf 0"
> +
> +_scratch_mkfs_xfs_supported -m reflink=1 >> $seqres.full 2>&1 && \
> +	force_crafted_metadata refcntblocks $bigval "agf 0" "-m reflink=1"
> +
> +_scratch_mkfs_xfs_supported -m rmapbt=1 >> $seqres.full 2>&1 && \
> +	force_crafted_metadata rmapblocks $bigval "agf 0" "-m rmapbt=1"
> +
> +echo "Silence is golden"
> +
> +# success, all done
> +status=0
> +exit
> diff --git a/tests/xfs/520.out b/tests/xfs/520.out
> new file mode 100644
> index 00000000..2a59b872
> --- /dev/null
> +++ b/tests/xfs/520.out
> @@ -0,0 +1,2 @@
> +QA output created by 520
> +Silence is golden
> diff --git a/tests/xfs/group b/tests/xfs/group
> index daf54add..433f04d0 100644
> --- a/tests/xfs/group
> +++ b/tests/xfs/group
> @@ -517,3 +517,4 @@
>  517 auto quick fsmap freeze
>  518 auto quick quota
>  519 auto quick reflink
> +520 auto quick reflink dangerous

Hmmm... I guess the fix has been out for a while, so it's less shocking
to put a dangerous test in the auto group?

--D

> -- 
> 2.18.1
>