Message ID | 20200623020447.5924-1-hsiangkao@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [v2] xfs: add test for CVE-2020-12655 | expand |
On Tue, Jun 23, 2020 at 10:04:47AM +0800, Gao Xiang wrote: > Add a regression test to see if kernel hangs in order to > look after CVE-2020-12655 and check if the corresponding > fix is applied as well. > > Signed-off-by: Gao Xiang <hsiangkao@redhat.com> > --- > changes since v1: > add "Metadata corruption" dmesg check as an auxiliary for specific kernel > > tests/xfs/520 | 87 +++++++++++++++++++++++++++++++++++++++++++++++ > tests/xfs/520.out | 2 ++ > tests/xfs/group | 1 + > 3 files changed, 90 insertions(+) > create mode 100755 tests/xfs/520 > create mode 100644 tests/xfs/520.out > > diff --git a/tests/xfs/520 b/tests/xfs/520 > new file mode 100755 > index 00000000..9e21579e > --- /dev/null > +++ b/tests/xfs/520 > @@ -0,0 +1,87 @@ > +#! /bin/bash > +# SPDX-License-Identifier: GPL-2.0 > +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved. > +# > +# FS QA Test 520 > +# > +# Verify kernel doesn't hang when mounting a crafted image > +# with bad agf.freeblks metadata due to CVE-2020-12655. > +# > +# Also, check if > +# commit d0c7feaf8767 ("xfs: add agf freeblocks verify in xfs_agf_verify") > +# is included in the current kernel. > +# > +seq=`basename $0` > +seqres=$RESULT_DIR/$seq > +echo "QA output created by $seq" > + > +here=`pwd` > +tmp=/tmp/$$ > +status=1 # failure is the default! > +trap "_cleanup; exit \$status" 0 1 2 3 15 > + > +_cleanup() > +{ > + cd / > + rm -f $tmp.* > + _scratch_unmount > /dev/null 2>&1 > +} > + > +# get standard environment, filters and checks > +. ./common/rc > +. ./common/filter > + > +# remove previous $seqres.full before test > +rm -f $seqres.full > + > +# real QA test starts here > + > +# Modify as appropriate. > +_supported_fs xfs > +_supported_os Linux > +_disable_dmesg_check > +_require_check_dmesg > +_require_scratch_nocheck > + > +force_crafted_metadata() { > + _scratch_mkfs_xfs -f $fsdsopt "$4" >> $seqres.full 2>&1 || _fail "mkfs failed" > + _scratch_xfs_set_metadata_field "$1" "$2" "$3" >> $seqres.full 2>&1 > + local kmsg="xfs/$seq: testing $1=$2 at $(date +"%F %T")" > + local mounted=0 > + local hasmsg=0 > + > + echo "${kmsg}" > /dev/kmsg > + _try_scratch_mount >> $seqres.full 2>&1 && mounted=1 > + > + if [ $mounted -ne 0 ]; then > + dd if=/dev/zero of=$SCRATCH_MNT/test bs=65536 count=1 >> \ > + $seqres.full 2>&1 > + sync > + fi > + > + _dmesg_since_test_start | tac | sed -ne "0,\#${kmsg}#p" | tac | \ > + egrep -q 'Metadata corruption detected at' && hasmsg=1 > + > + _scratch_unmount > /dev/null 2>&1 > + [ $mounted -eq 0 -o $hasmsg -eq 1 ] && return > + _fail "potential broken kernel" Could you print both variables in the error message so that it's easier to figure out where exactly we went wrong? > +} > + > +bigval=100000000 > +fsdsopt="-d agcount=1,size=64m" > + > +force_crafted_metadata freeblks 0 "agf 0" > +force_crafted_metadata longest $bigval "agf 0" > +force_crafted_metadata length $bigval "agf 0" > + > +_scratch_mkfs_xfs_supported -m reflink=1 >> $seqres.full 2>&1 && \ > + force_crafted_metadata refcntblocks $bigval "agf 0" "-m reflink=1" > + > +_scratch_mkfs_xfs_supported -m rmapbt=1 >> $seqres.full 2>&1 && \ > + force_crafted_metadata rmapblocks $bigval "agf 0" "-m rmapbt=1" > + > +echo "Silence is golden" > + > +# success, all done > +status=0 > +exit > diff --git a/tests/xfs/520.out b/tests/xfs/520.out > new file mode 100644 > index 00000000..2a59b872 > --- /dev/null > +++ b/tests/xfs/520.out > @@ -0,0 +1,2 @@ > +QA output created by 520 > +Silence is golden > diff --git a/tests/xfs/group b/tests/xfs/group > index daf54add..433f04d0 100644 > --- a/tests/xfs/group > +++ b/tests/xfs/group > @@ -517,3 +517,4 @@ > 517 auto quick fsmap freeze > 518 auto quick quota > 519 auto quick reflink > +520 auto quick reflink dangerous Hmmm... I guess the fix has been out for a while, so it's less shocking to put a dangerous test in the auto group? --D > -- > 2.18.1 >
Hi Darrick, On Tue, Jun 23, 2020 at 08:23:52AM -0700, Darrick J. Wong wrote: ... > > + > > + _scratch_unmount > /dev/null 2>&1 > > + [ $mounted -eq 0 -o $hasmsg -eq 1 ] && return > > + _fail "potential broken kernel" > > Could you print both variables in the error message so that it's easier > to figure out where exactly we went wrong? Okay, will fix in the next version (tomorrow, about to sleep...) > ... > > 518 auto quick quota > > 519 auto quick reflink > > +520 auto quick reflink dangerous > > Hmmm... I guess the fix has been out for a while, so it's less shocking > to put a dangerous test in the auto group? Okay, will update it (I'm backporting the fix to old old kernels... and some you know....). Thanks for the review! Thanks, Gao Xiang > > --D > > > -- > > 2.18.1 > > >
diff --git a/tests/xfs/520 b/tests/xfs/520 new file mode 100755 index 00000000..9e21579e --- /dev/null +++ b/tests/xfs/520 @@ -0,0 +1,87 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2020 Red Hat, Inc. All Rights Reserved. +# +# FS QA Test 520 +# +# Verify kernel doesn't hang when mounting a crafted image +# with bad agf.freeblks metadata due to CVE-2020-12655. +# +# Also, check if +# commit d0c7feaf8767 ("xfs: add agf freeblocks verify in xfs_agf_verify") +# is included in the current kernel. +# +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* + _scratch_unmount > /dev/null 2>&1 +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here + +# Modify as appropriate. +_supported_fs xfs +_supported_os Linux +_disable_dmesg_check +_require_check_dmesg +_require_scratch_nocheck + +force_crafted_metadata() { + _scratch_mkfs_xfs -f $fsdsopt "$4" >> $seqres.full 2>&1 || _fail "mkfs failed" + _scratch_xfs_set_metadata_field "$1" "$2" "$3" >> $seqres.full 2>&1 + local kmsg="xfs/$seq: testing $1=$2 at $(date +"%F %T")" + local mounted=0 + local hasmsg=0 + + echo "${kmsg}" > /dev/kmsg + _try_scratch_mount >> $seqres.full 2>&1 && mounted=1 + + if [ $mounted -ne 0 ]; then + dd if=/dev/zero of=$SCRATCH_MNT/test bs=65536 count=1 >> \ + $seqres.full 2>&1 + sync + fi + + _dmesg_since_test_start | tac | sed -ne "0,\#${kmsg}#p" | tac | \ + egrep -q 'Metadata corruption detected at' && hasmsg=1 + + _scratch_unmount > /dev/null 2>&1 + [ $mounted -eq 0 -o $hasmsg -eq 1 ] && return + _fail "potential broken kernel" +} + +bigval=100000000 +fsdsopt="-d agcount=1,size=64m" + +force_crafted_metadata freeblks 0 "agf 0" +force_crafted_metadata longest $bigval "agf 0" +force_crafted_metadata length $bigval "agf 0" + +_scratch_mkfs_xfs_supported -m reflink=1 >> $seqres.full 2>&1 && \ + force_crafted_metadata refcntblocks $bigval "agf 0" "-m reflink=1" + +_scratch_mkfs_xfs_supported -m rmapbt=1 >> $seqres.full 2>&1 && \ + force_crafted_metadata rmapblocks $bigval "agf 0" "-m rmapbt=1" + +echo "Silence is golden" + +# success, all done +status=0 +exit diff --git a/tests/xfs/520.out b/tests/xfs/520.out new file mode 100644 index 00000000..2a59b872 --- /dev/null +++ b/tests/xfs/520.out @@ -0,0 +1,2 @@ +QA output created by 520 +Silence is golden diff --git a/tests/xfs/group b/tests/xfs/group index daf54add..433f04d0 100644 --- a/tests/xfs/group +++ b/tests/xfs/group @@ -517,3 +517,4 @@ 517 auto quick fsmap freeze 518 auto quick quota 519 auto quick reflink +520 auto quick reflink dangerous
Add a regression test to see if kernel hangs in order to look after CVE-2020-12655 and check if the corresponding fix is applied as well. Signed-off-by: Gao Xiang <hsiangkao@redhat.com> --- changes since v1: add "Metadata corruption" dmesg check as an auxiliary for specific kernel tests/xfs/520 | 87 +++++++++++++++++++++++++++++++++++++++++++++++ tests/xfs/520.out | 2 ++ tests/xfs/group | 1 + 3 files changed, 90 insertions(+) create mode 100755 tests/xfs/520 create mode 100644 tests/xfs/520.out