From patchwork Sun Dec 11 21:53:28 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 9469909 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id A1176607D3 for ; Sun, 11 Dec 2016 21:54:54 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 9251328210 for ; Sun, 11 Dec 2016 21:54:54 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 7A8292835E; Sun, 11 Dec 2016 21:54:54 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_MED, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 7416728236 for ; Sun, 11 Dec 2016 21:54:53 +0000 (UTC) Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id uBBLsA2s030425 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 11 Dec 2016 21:54:10 GMT Received: from oss.oracle.com (oss-old-reserved.oracle.com [137.254.22.2]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id uBBLs9Eg011204 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 11 Dec 2016 21:54:10 GMT Received: from localhost ([127.0.0.1] helo=lb-oss.oracle.com) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1cGC4P-00027h-Q6; Sun, 11 Dec 2016 13:54:09 -0800 Received: from aserv0022.oracle.com ([141.146.126.234]) by oss.oracle.com with esmtp (Exim 4.63) (envelope-from ) id 1cGC3p-0001um-Ix for ocfs2-devel@oss.oracle.com; Sun, 11 Dec 2016 13:53:33 -0800 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id uBBLrX3d003062 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 11 Dec 2016 21:53:33 GMT Received: from abhmp0011.oracle.com (abhmp0011.oracle.com [141.146.116.17]) by aserv0121.oracle.com (8.13.8/8.13.8) with ESMTP id uBBLrVvh022966; Sun, 11 Dec 2016 21:53:32 GMT Received: from localhost (/24.21.211.40) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 11 Dec 2016 13:53:31 -0800 From: "Darrick J. Wong" To: eguan@redhat.com, darrick.wong@oracle.com Date: Sun, 11 Dec 2016 13:53:28 -0800 Message-ID: <148149320892.31093.18280644018166858868.stgit@birch.djwong.org> In-Reply-To: <148149316504.31093.16129068344227450710.stgit@birch.djwong.org> References: <148149316504.31093.16129068344227450710.stgit@birch.djwong.org> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Cc: fstests@vger.kernel.org, ocfs2-devel@oss.oracle.com Subject: [Ocfs2-devel] [PATCH 7/7] xfs/ext4: check negative inode size X-BeenThere: ocfs2-devel@oss.oracle.com X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com X-Source-IP: userv0021.oracle.com [156.151.31.71] X-Virus-Scanned: ClamAV using ClamSMTP Craft a malicious filesystem image with a negative inode size, then try to trigger a kernel DoS by appending data to the file. Ideally this should trigger verifier errors instead of hanging. Signed-off-by: Darrick J. Wong --- tests/ext4/400 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/ext4/401 | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/ext4/group | 2 ++ tests/xfs/400 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/xfs/401 | 72 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ tests/xfs/group | 2 ++ 6 files changed, 290 insertions(+) create mode 100755 tests/ext4/400 create mode 100755 tests/ext4/401 create mode 100755 tests/xfs/400 create mode 100755 tests/xfs/401 diff --git a/tests/ext4/400 b/tests/ext4/400 new file mode 100755 index 0000000..5857549 --- /dev/null +++ b/tests/ext4/400 @@ -0,0 +1,71 @@ +#! /bin/bash +# FSQA Test No. 400 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +#----------------------------------------------------------------------- +# Copyright (c) 2016-2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs ext2 ext3 ext4 +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a + +echo "Corrupt filesystem" +_scratch_unmount +debugfs -w -R "sif /a size -1" $SCRATCH_DEV >> $seqres.full 2>&1 + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/ext4/401 b/tests/ext4/401 new file mode 100755 index 0000000..ee7ecf3 --- /dev/null +++ b/tests/ext4/401 @@ -0,0 +1,71 @@ +#! /bin/bash +# FSQA Test No. 401 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +#----------------------------------------------------------------------- +# Copyright (c) 2016-2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs ext2 ext3 ext4 +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a + +echo "Corrupt filesystem" +_scratch_unmount +debugfs -w -R "sif /a size 0xFFFFFFFFFFFFFE00" $SCRATCH_DEV >> $seqres.full 2>&1 + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/ext4/group b/tests/ext4/group index 53fe03e..43b2d06 100644 --- a/tests/ext4/group +++ b/tests/ext4/group @@ -34,3 +34,5 @@ 306 auto rw resize quick 307 auto ioctl rw 308 auto ioctl rw prealloc quick +400 dangerous_fuzzers +401 dangerous_fuzzers diff --git a/tests/xfs/400 b/tests/xfs/400 new file mode 100755 index 0000000..498c024 --- /dev/null +++ b/tests/xfs/400 @@ -0,0 +1,72 @@ +#! /bin/bash +# FSQA Test No. 400 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +#----------------------------------------------------------------------- +# Copyright (c) 2016-2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs xfs +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a +inum=$(stat -c "%i" $testdir/a) + +echo "Corrupt filesystem" +_scratch_unmount +_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -1' >> $seqres.full + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/xfs/401 b/tests/xfs/401 new file mode 100755 index 0000000..41b262d --- /dev/null +++ b/tests/xfs/401 @@ -0,0 +1,72 @@ +#! /bin/bash +# FSQA Test No. 401 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +#----------------------------------------------------------------------- +# Copyright (c) 2016-2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs xfs +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a +inum=$(stat -c "%i" $testdir/a) + +echo "Corrupt filesystem" +_scratch_unmount +_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -1' >> $seqres.full + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/xfs/group b/tests/xfs/group index c237b50..10ba27b 100644 --- a/tests/xfs/group +++ b/tests/xfs/group @@ -334,3 +334,5 @@ 345 auto quick clone 346 auto quick clone 347 auto quick clone +400 dangerous_fuzzers +401 dangerous_fuzzers