From patchwork Wed Feb 13 20:48:14 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Darrick J. Wong" <darrick.wong@oracle.com>
X-Patchwork-Id: 10810867
Return-Path: <fstests-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 79B6713B4
	for <patchwork-fstests@patchwork.kernel.org>;
 Wed, 13 Feb 2019 20:48:20 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 614862D588
	for <patchwork-fstests@patchwork.kernel.org>;
 Wed, 13 Feb 2019 20:48:20 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 52E272D5AD; Wed, 13 Feb 2019 20:48:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A2AD12D588
	for <patchwork-fstests@patchwork.kernel.org>;
 Wed, 13 Feb 2019 20:48:19 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729898AbfBMUsT (ORCPT
        <rfc822;patchwork-fstests@patchwork.kernel.org>);
        Wed, 13 Feb 2019 15:48:19 -0500
Received: from userp2130.oracle.com ([156.151.31.86]:59680 "EHLO
        userp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727251AbfBMUsT (ORCPT
        <rfc822;fstests@vger.kernel.org>); Wed, 13 Feb 2019 15:48:19 -0500
Received: from pps.filterd (userp2130.oracle.com [127.0.0.1])
        by userp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id
 x1DKcgOC133269;
        Wed, 13 Feb 2019 20:48:17 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=date : from : to : cc
 : subject : message-id : references : mime-version : content-type :
 in-reply-to; s=corp-2018-07-02;
 bh=96T+vv41WaYZelqL5XLRTduJLeVvOHXwBzzIhfSK+N8=;
 b=Z6kcXp5oy14dil1nkgKmV/EoDLi7nSpTkwKak4aBTkNZp2+9P+p1VFWLWGRhEh3f36dy
 5Q5m137orDB64+pJ6tlDDyJr+8lLNrT76O8lHh26mPWAoPD3rBfNkFUenBp4nevj6p/d
 o+p4XFe6oYR/mh8wXwxJJNSJihG9+ObcAS0BnGZfhkjB9nGHvDErxZtNTg8aGu4jteit
 sjdsx6IcMqRQlQiSFUPyS6KKLD1Kwm6bheR8dL0vQ/rpZwsJhSssSbmfPGcNtuHXpVog
 gt3vDEJ83RNBJiGxkB0/puXFYOUEgoucVM45FnFU4q2+d+lJQHg3Ban2RB8PVt0vCxVJ 6g==
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71])
        by userp2130.oracle.com with ESMTP id 2qhrekmcen-1
        (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Wed, 13 Feb 2019 20:48:16 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
        by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id x1DKmGpe027754
        (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
 verify=OK);
        Wed, 13 Feb 2019 20:48:16 GMT
Received: from abhmp0009.oracle.com (abhmp0009.oracle.com [141.146.116.15])
        by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x1DKmGOW024083;
        Wed, 13 Feb 2019 20:48:16 GMT
Received: from localhost (/10.159.239.14)
        by default (Oracle Beehive Gateway v4.0)
        with ESMTP ; Wed, 13 Feb 2019 20:48:15 +0000
Date: Wed, 13 Feb 2019 12:48:14 -0800
From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: guaneryu@gmail.com
Cc: linux-xfs@vger.kernel.org, fstests@vger.kernel.org
Subject: [PATCH 4/3] generic: posix acl extended attribute memory corruption
 test
Message-ID: <20190213204814.GB6477@magnolia>
References: <154993784038.1948.7502664832930298472.stgit@magnolia>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <154993784038.1948.7502664832930298472.stgit@magnolia>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9166
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0
 priorityscore=1501 malwarescore=0
 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015
 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000
 definitions=main-1902130138
Sender: fstests-owner@vger.kernel.org
Precedence: bulk
List-ID: <fstests.vger.kernel.org>
X-Mailing-List: fstests@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Darrick J. Wong <darrick.wong@oracle.com>

XFS had a use-after-free bug when xfs_xattr_put_listent runs out of
listxattr buffer space while trying to store the name
"system.posix_acl_access" and then corrupts memory by not checking the
seen_enough state and then trying to shove "trusted.SGI_ACL_FILE" into
the buffer as well.

In order to tickle the bug in a user visible way we must have already
put a name in the buffer, so we take advantage of the fact that
"security.evm" sorts before "system.posix_acl_access" to make sure this
happens.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
---
 .gitignore              |    1 
 src/Makefile            |    2 -
 src/t_attr_corruption.c |  122 +++++++++++++++++++++++++++++++++++++++++++++++
 tests/generic/712       |   41 ++++++++++++++++
 tests/generic/712.out   |    2 +
 tests/generic/group     |    1 
 6 files changed, 168 insertions(+), 1 deletion(-)
 create mode 100644 src/t_attr_corruption.c
 create mode 100755 tests/generic/712
 create mode 100644 tests/generic/712.out

diff --git a/.gitignore b/.gitignore
index ea1aac8a..0933dc7d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -114,6 +114,7 @@
 /src/stat_test
 /src/swapon
 /src/t_access_root
+/src/t_attr_corruption
 /src/t_dir_offset
 /src/t_dir_offset2
 /src/t_dir_type
diff --git a/src/Makefile b/src/Makefile
index 41826585..ae09eb0a 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -27,7 +27,7 @@ LINUX_TARGETS = xfsctl bstat t_mtab getdevicesize preallo_rw_pattern_reader \
 	renameat2 t_getcwd e4compact test-nextquota punch-alternating \
 	attr-list-by-handle-cursor-test listxattr dio-interleaved t_dir_type \
 	dio-invalidate-cache stat_test t_encrypted_d_revalidate \
-	attr_replace_test swapon mkswap
+	attr_replace_test swapon mkswap t_attr_corruption
 
 SUBDIRS = log-writes perf
 
diff --git a/src/t_attr_corruption.c b/src/t_attr_corruption.c
new file mode 100644
index 00000000..1fa5e41f
--- /dev/null
+++ b/src/t_attr_corruption.c
@@ -0,0 +1,122 @@
+// SPDX-License-Identifier: GPL-2.0+
+/*
+ * Copyright (C) 2019 Oracle.  All Rights Reserved.
+ * Author: Darrick J. Wong <darrick.wong@oracle.com>
+ *
+ * Test program to tickle a use-after-free bug in xfs.
+ *
+ * XFS had a use-after-free bug when xfs_xattr_put_listent runs out of
+ * listxattr buffer space while trying to store the name
+ * "system.posix_acl_access" and then corrupts memory by not checking the
+ * seen_enough state and then trying to shove "trusted.SGI_ACL_FILE" into the
+ * buffer as well.
+ *
+ * In order to tickle the bug in a user visible way we must have already put a
+ * name in the buffer, so we take advantage of the fact that "security.evm"
+ * sorts before "system.posix_acl_access" to make sure this happens.
+ *
+ * If we trigger the bug, the program will print the garbled string
+ * "rusted.SGI_ACL_FILE".  If the bug is fixed, the flistxattr call returns
+ * ERANGE.
+ */
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <attr/xattr.h>
+
+void die(const char *msg)
+{
+	perror(msg);
+	exit(1);
+}
+
+struct entry {
+	uint16_t	a;
+	uint16_t	b;
+	uint32_t	c;
+};
+
+struct myacl {
+	uint32_t	d;
+	struct entry	e[4];
+};
+
+int main(int argc, char *argv[])
+{
+	struct myacl acl = {
+		.d = 2,
+		.e = {
+			{1, 0, 0},
+			{4, 0, 0},
+			{0x10, 0, 0},
+			{0x20, 0, 0},
+		},
+	};
+	char buf[64];
+	ssize_t sz;
+	int fd;
+	int ret;
+
+	if (argc > 1) {
+		ret = chdir(argv[1]);
+		if (ret)
+			die(argv[1]);
+	}
+
+	fd = creat("file0", 0644);
+	if (fd < 0)
+		die("create");
+
+	ret = fsetxattr(fd, "system.posix_acl_access", &acl, sizeof(acl), 0);
+	if (ret)
+		die("set posix acl");
+
+	ret = fsetxattr(fd, "security.evm", buf, 1, 1);
+	if (ret)
+		die("set evm");
+
+	sz = flistxattr(fd, buf, 30);
+	if (sz < 0)
+		die("list attr");
+
+	printf("%s\n", buf);
+
+	return 0;
+
+#if 0
+	/* original syzkaller reproducer */
+
+	syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
+
+	memcpy((void*)0x20000180, "./file0", 8);
+	syscall(__NR_creat, 0x20000180, 0);
+	memcpy((void*)0x20000000, "./file0", 8);
+	memcpy((void*)0x20000040, "system.posix_acl_access", 24);
+	*(uint32_t*)0x20000680 = 2;
+	*(uint16_t*)0x20000684 = 1;
+	*(uint16_t*)0x20000686 = 0;
+	*(uint32_t*)0x20000688 = 0;
+	*(uint16_t*)0x2000068c = 4;
+	*(uint16_t*)0x2000068e = 0;
+	*(uint32_t*)0x20000690 = 0;
+	*(uint16_t*)0x20000694 = 0x10;
+	*(uint16_t*)0x20000696 = 0;
+	*(uint32_t*)0x20000698 = 0;
+	*(uint16_t*)0x2000069c = 0x20;
+	*(uint16_t*)0x2000069e = 0;
+	*(uint32_t*)0x200006a0 = 0;
+	syscall(__NR_setxattr, 0x20000000, 0x20000040, 0x20000680, 0x24, 0);
+	memcpy((void*)0x20000080, "./file0", 8);
+	memcpy((void*)0x200000c0, "security.evm", 13);
+	memcpy((void*)0x20000100, "\x03\x00\x00\x00\x57", 5);
+	syscall(__NR_lsetxattr, 0x20000080, 0x200000c0, 0x20000100, 1, 1);
+	memcpy((void*)0x20000300, "./file0", 8);
+	syscall(__NR_listxattr, 0x20000300, 0x200002c0, 0x1e);
+	return 0;
+#endif
+}
diff --git a/tests/generic/712 b/tests/generic/712
new file mode 100755
index 00000000..6348a797
--- /dev/null
+++ b/tests/generic/712
@@ -0,0 +1,41 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0+
+# Copyright (c) 2019 Oracle, Inc.  All Rights Reserved.
+#
+# FS QA Test No. 712
+#
+# Regression test for a bug where XFS corrupts memory if the listxattr buffer
+# is a particularly well crafted size on a filesystem that supports posix acls.
+#
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+tmp=/tmp/$$
+status=1	# failure is the default!
+testfile=$TEST_DIR/$seq.txt
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	cd /
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/attr
+
+# real QA test starts here
+_supported_fs generic
+_supported_os Linux
+_require_acls
+_require_scratch
+
+rm -f $seqres.full
+_scratch_mkfs >> $seqres.full 2>&1
+_scratch_mount
+
+src/t_attr_corruption $SCRATCH_MNT
+
+status=0
+exit
diff --git a/tests/generic/712.out b/tests/generic/712.out
new file mode 100644
index 00000000..a2ba09f3
--- /dev/null
+++ b/tests/generic/712.out
@@ -0,0 +1,2 @@
+QA output created by 712
+list attr: Numerical result out of range
diff --git a/tests/generic/group b/tests/generic/group
index f56eb475..b3086154 100644
--- a/tests/generic/group
+++ b/tests/generic/group
@@ -529,3 +529,4 @@
 524 auto quick
 525 auto quick rw
 709 auto quick
+712 auto quick attr