From: Xiao Yang <yangx.jy@cn.fujitsu.com>
To: fstests@vger.kernel.org
Cc: guaneryu@gmail.com, darrick.wong@oracle.com,
Xiao Yang <yangx.jy@cn.fujitsu.com>
Subject: [PATCH] xfs: Regression test for vulnerable directory integrity check
Date: Thu, 24 May 2018 17:32:12 +0800 [thread overview]
Message-ID: <1527154332-13234-1-git-send-email-yangx.jy@cn.fujitsu.com> (raw)
If a malicious XFS contains a block+ format directory wherein the
directory inode's core.mode is corrupted, and there are subdirectories
of the corrupted directory, an attempt to traverse up the directory
tree by running xfs_scrub will crash the kernel in __xfs_dir3_data_check.
Signed-off-by: Xiao Yang <yangx.jy@cn.fujitsu.com>
---
tests/xfs/448 | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
tests/xfs/448.out | 2 ++
tests/xfs/group | 1 +
3 files changed, 93 insertions(+)
create mode 100755 tests/xfs/448
create mode 100644 tests/xfs/448.out
diff --git a/tests/xfs/448 b/tests/xfs/448
new file mode 100755
index 0000000..bc151a4
--- /dev/null
+++ b/tests/xfs/448
@@ -0,0 +1,90 @@
+#! /bin/bash
+# FS QA Test No. 448
+#
+# Regression test for commit:
+# 46c5973 ("xfs: harden directory integrity checks some more")
+#
+# If a malicious XFS contains a block+ format directory wherein
+# the directory inode's core.mode is corrupted, and there are
+# subdirectories of the corrupted directory, an attempt to traverse
+# up the directory tree by running xfs_scrub will crash the
+# kernel in __xfs_dir3_data_check.
+#
+# Notice:
+# we should have non fatal asserts configured, because assert
+# failures triggered by the intentional corrupt would crash system.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2018 FUJITSU. All Rights Reserved.
+# Author: Xiao Yang <yangx.jy@cn.fujitsu.com>
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
+#-----------------------------------------------------------------------
+
+seq=`basename "$0"`
+seqres="$RESULT_DIR/$seq"
+echo "QA output created by $seq"
+
+here=`pwd`
+tmp=/tmp/$$
+status=1 # failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+ rm -rf $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+. ./common/populate
+. ./common/fuzzy
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch
+_require_scrub
+_require_scratch_nocheck
+# Corrupt XFS on purpose, and skip if assert failures would crash system.
+_require_no_xfs_bug_on_assert
+
+rm -f "$seqres.full"
+
+# Format and mount
+_scratch_mkfs > $seqres.full 2>&1 || _fail "mkfs failed"
+_scratch_mount
+
+# Create a block+(e.g. leaf) format directory
+dblksz="$(xfs_info "${SCRATCH_MNT}" | grep naming.*bsize | sed -e 's/^.*bsize=//g' -e 's/\([0-9]*\).*$/\1/g')"
+__populate_create_dir "${SCRATCH_MNT}/dir_leaf" "$((dblksz / 12))"
+dino=$(stat -c "%i" "${SCRATCH_MNT}/dir_leaf")
+
+# Corrupt the directory inode's core.mode
+_scratch_unmount
+setmode="0100755"
+_scratch_xfs_set_metadata_field "core.mode" "$setmode" "inode $dino" >> $seqres.full
+getmode=$(_scratch_xfs_get_metadata_field "core.mode" "inode $dino")
+[ "$getmode" != "$setmode" ] && _notrun "failed to set core.mode"
+
+# Check a mounted XFS (online)
+_scratch_mount
+$XFS_SCRUB_PROG -d -T -v -n $SCRATCH_MNT >> $seqres.full 2>&1
+
+echo "Silence is golden"
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/448.out b/tests/xfs/448.out
new file mode 100644
index 0000000..b6f0a53
--- /dev/null
+++ b/tests/xfs/448.out
@@ -0,0 +1,2 @@
+QA output created by 448
+Silence is golden
diff --git a/tests/xfs/group b/tests/xfs/group
index 51326d9..dd39d08 100644
--- a/tests/xfs/group
+++ b/tests/xfs/group
@@ -445,3 +445,4 @@
445 auto quick filestreams
446 auto quick
447 auto mount
+448 auto quick fuzzers
--
1.8.3.1
next reply other threads:[~2018-05-24 9:43 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-24 9:32 Xiao Yang [this message]
2018-05-25 4:37 ` [PATCH] xfs: Regression test for vulnerable directory integrity check Darrick J. Wong
2018-05-25 6:33 ` Xiao Yang
2018-05-29 17:53 ` Darrick J. Wong
2018-05-30 4:04 ` Xiao Yang
2018-05-30 4:52 ` Darrick J. Wong
2018-05-30 6:58 ` Eryu Guan
2018-05-30 8:53 ` [PATCH v2] " Xiao Yang
2018-05-30 14:56 ` Darrick J. Wong
2018-06-03 13:37 ` Eryu Guan
2018-06-03 22:56 ` Darrick J. Wong
2018-06-04 4:54 ` Eryu Guan
2018-06-04 4:50 ` [PATCH] common/rc: Fix _require_xfs_io_command for scrub probe Xiao Yang
2018-06-04 15:44 ` Darrick J. Wong
2018-06-04 5:00 ` [PATCH v2] xfs: Regression test for vulnerable directory integrity check Xiao Yang
2018-06-04 4:55 ` Xiao Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1527154332-13234-1-git-send-email-yangx.jy@cn.fujitsu.com \
--to=yangx.jy@cn.fujitsu.com \
--cc=darrick.wong@oracle.com \
--cc=fstests@vger.kernel.org \
--cc=guaneryu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.