From patchwork Tue Feb 26 02:35:35 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 10829353 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id B5AEA180E for ; Tue, 26 Feb 2019 02:35:42 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A7FA62C2C8 for ; Tue, 26 Feb 2019 02:35:42 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 9C61A2C2D1; Tue, 26 Feb 2019 02:35:42 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI, UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 430EB2C2C8 for ; Tue, 26 Feb 2019 02:35:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726099AbfBZCfk (ORCPT ); Mon, 25 Feb 2019 21:35:40 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:37168 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726037AbfBZCfk (ORCPT ); Mon, 25 Feb 2019 21:35:40 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x1Q2YrBG151652; Tue, 26 Feb 2019 02:35:37 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=eciF3cx3FaGzDJjF+zhivE7A4kll/hR6gdmh5j87BJ4=; b=MP/9Px/oIIbHT7/gAXAjw1+xv/w4i+8vQRkpa4GYwsXpJyxAu/91+OMJiotebr+fEVSp nfV3ZiSaliSnNHYnYznmZCCg0PdyC7284u2/rN02Cs+bwo31/lwFsQRbIIks7WjMpT3N Yejx9jxRREGu8nxWwFWJ3+XZu/1K84pJoKoQ5U2OdAgWwIT3ycXZkrXDOV+80uZSkX/e 9dnkVl4fQZUIGeNRE3bqEYNDR6QUgFgGrturHQKqFT90PmYus+7U9DePcQxUIG9iCgXe V4WPFNBgVzn6taN6ribTQvt+j3WfigmX0di6WMyUTLRg6MfcB0xlLrb0/uHZw4CgZGW+ tQ== Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by userp2120.oracle.com with ESMTP id 2qtxtrhumf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Feb 2019 02:35:37 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id x1Q2ZaWH018482 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 26 Feb 2019 02:35:37 GMT Received: from abhmp0012.oracle.com (abhmp0012.oracle.com [141.146.116.18]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id x1Q2ZaDT017566; Tue, 26 Feb 2019 02:35:36 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 25 Feb 2019 18:35:36 -0800 Subject: [PATCH 2/2] t_attr_corruption: fix this yet again From: "Darrick J. Wong" To: guaneryu@gmail.com Cc: linux-xfs@vger.kernel.org, fstests@vger.kernel.org Date: Mon, 25 Feb 2019 18:35:35 -0800 Message-ID: <155114853550.9683.11298191063436471344.stgit@magnolia> In-Reply-To: <155114852926.9683.4048206997940455508.stgit@magnolia> References: <155114852926.9683.4048206997940455508.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9178 signatures=668685 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1902260017 Sender: linux-xfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong Jeff Moyer pointed out that 'security.evm' actually has an expected value format, which breaks the test if EVM is enabled. It turns out that the 'security.evm' setxattr call in the original syzkaller report was a total red herring, as this bug can be reproduced without it. Fix the test case to do the minimum amount of work needed to reproduce the corruption. Signed-off-by: Darrick J. Wong Reviewed-by: Allison Henderson --- src/t_attr_corruption.c | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/src/t_attr_corruption.c b/src/t_attr_corruption.c index f26611f9..9101024e 100644 --- a/src/t_attr_corruption.c +++ b/src/t_attr_corruption.c @@ -3,17 +3,21 @@ * Copyright (C) 2019 Oracle. All Rights Reserved. * Author: Darrick J. Wong * - * Test program to tickle a use-after-free bug in xfs. + * XFS had a memory corruption bug in its handling of the POSIX ACL attribute + * names during a listxattr call. * - * XFS had a use-after-free bug when xfs_xattr_put_listent runs out of - * listxattr buffer space while trying to store the name - * "system.posix_acl_access" and then corrupts memory by not checking the - * seen_enough state and then trying to shove "trusted.SGI_ACL_FILE" into the - * buffer as well. + * On IRIX, file ACLs were stored under the name "trusted.SGI_ACL_FILE", + * whereas on Linux the name is "system.posix_acl_access". In order to + * maintain compatibility with old filesystems, XFS internally continues to + * use the old SGI_ACL_FILE name on disk and remap the new name whenever it + * sees it. * - * In order to tickle the bug in a user visible way we must have already put a - * name in the buffer, so we take advantage of the fact that "security.evm" - * sorts before "system.posix_acl_access" to make sure this happens. + * In order to make this magic happen, XFS' listxattr implementation will emit + * first the Linux name and then the on-disk name. Unfortunately, it doesn't + * correctly check the buffer length, so if the buffer is large enough to fit + * the on-disk name but not large enough to fit the Linux name, we screw up + * the buffer position accounting while trying to emit the Linux name and then + * corrupt memory when we try to emit the on-disk name. * * If we trigger the bug, the program will print the garbled string * "rusted.SGI_ACL_FILE". If the bug is fixed, the flistxattr call returns @@ -76,11 +80,7 @@ int main(int argc, char *argv[]) if (ret) die("set posix acl"); - ret = fsetxattr(fd, "security.evm", buf, 1, 1); - if (ret) - die("set evm"); - - sz = flistxattr(fd, buf, 30); + sz = flistxattr(fd, buf, 20); if (sz < 0) die("list attr");