diff options
author | Darrick J. Wong <darrick.wong@oracle.com> | 2017-01-09 12:55:18 -0800 |
---|---|---|
committer | Eryu Guan <eguan@redhat.com> | 2017-01-15 13:56:45 +0800 |
commit | 466369dc92dea4d143c15574a406f0fad525585b (patch) | |
tree | bcacf0b0b444f06024c514a9c4082bfafc368e5e | |
parent | 959f80ec24601ec14c5c8514a51dc763ff93d41d (diff) | |
download | xfstests-dev-466369dc92dea4d143c15574a406f0fad525585b.tar.gz |
xfs/ext4: check negative inode size
Craft a malicious filesystem image with a negative inode size,
then try to trigger a kernel DoS by appending data to the file.
Ideally this should trigger verifier errors instead of hanging.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Eryu Guan <eguan@redhat.com>
-rwxr-xr-x | tests/shared/005 | 75 | ||||
-rw-r--r-- | tests/shared/005.out | 5 | ||||
-rwxr-xr-x | tests/shared/007 | 77 | ||||
-rw-r--r-- | tests/shared/007.out | 5 | ||||
-rw-r--r-- | tests/shared/group | 2 | ||||
-rwxr-xr-x | tests/xfs/133 | 75 | ||||
-rw-r--r-- | tests/xfs/133.out | 5 | ||||
-rwxr-xr-x | tests/xfs/134 | 77 | ||||
-rw-r--r-- | tests/xfs/134.out | 5 | ||||
-rw-r--r-- | tests/xfs/group | 2 |
10 files changed, 328 insertions, 0 deletions
diff --git a/tests/shared/005 b/tests/shared/005 new file mode 100755 index 0000000000..2fca911060 --- /dev/null +++ b/tests/shared/005 @@ -0,0 +1,75 @@ +#! /bin/bash +# FSQA Test No. 400 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a buffered append to make +# sure we catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs ext2 ext3 ext4 +_require_scratch_nocheck +_disable_dmesg_check +_require_command "$DEBUGFS_PROG" + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a + +echo "Corrupt filesystem" +_scratch_unmount +$DEBUGFS_PROG -w -R "sif /a size -1" $SCRATCH_DEV >> $seqres.full 2>&1 + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/shared/005.out b/tests/shared/005.out new file mode 100644 index 0000000000..06e3fcdc83 --- /dev/null +++ b/tests/shared/005.out @@ -0,0 +1,5 @@ +QA output created by 005 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/shared/007 b/tests/shared/007 new file mode 100755 index 0000000000..c6f2520185 --- /dev/null +++ b/tests/shared/007 @@ -0,0 +1,77 @@ +#! /bin/bash +# FSQA Test No. 401 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a dio append to make sure we +# catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs ext2 ext3 ext4 +_require_scratch_nocheck +_disable_dmesg_check +_require_command "$DEBUGFS_PROG" + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a + +echo "Corrupt filesystem" +_scratch_unmount +# Set the file size to the highest multiple of 512 below +# -1 so that we can perform a dio write. +$DEBUGFS_PROG -w -R "sif /a size 0xFFFFFFFFFFFFFE00" $SCRATCH_DEV >> $seqres.full 2>&1 + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/shared/007.out b/tests/shared/007.out new file mode 100644 index 0000000000..3afba59a59 --- /dev/null +++ b/tests/shared/007.out @@ -0,0 +1,5 @@ +QA output created by 007 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/shared/group b/tests/shared/group index 55bb594737..fab933159f 100644 --- a/tests/shared/group +++ b/tests/shared/group @@ -7,7 +7,9 @@ 002 auto metadata quick 003 auto quick 004 auto quick +005 dangerous_fuzzers 006 auto enospc +007 dangerous_fuzzers 032 mkfs auto quick 051 acl udf auto quick 272 auto enospc rw diff --git a/tests/xfs/133 b/tests/xfs/133 new file mode 100755 index 0000000000..fcaaa39e20 --- /dev/null +++ b/tests/xfs/133 @@ -0,0 +1,75 @@ +#! /bin/bash +# FSQA Test No. 400 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a buffered append to make +# sure we catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs xfs +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a +inum=$(stat -c "%i" $testdir/a) + +echo "Corrupt filesystem" +_scratch_unmount +_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -1' >> $seqres.full + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/xfs/133.out b/tests/xfs/133.out new file mode 100644 index 0000000000..4c8fbafcbd --- /dev/null +++ b/tests/xfs/133.out @@ -0,0 +1,5 @@ +QA output created by 133 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/xfs/134 b/tests/xfs/134 new file mode 100755 index 0000000000..d2990800ba --- /dev/null +++ b/tests/xfs/134 @@ -0,0 +1,77 @@ +#! /bin/bash +# FSQA Test No. 401 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a dio append to make sure we +# catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs xfs +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a +inum=$(stat -c "%i" $testdir/a) + +echo "Corrupt filesystem" +_scratch_unmount +# Set the file size to the highest multiple of 512 below +# -1 so that we can perform a dio write. +_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -512' >> $seqres.full + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/xfs/134.out b/tests/xfs/134.out new file mode 100644 index 0000000000..2f7ab19ac4 --- /dev/null +++ b/tests/xfs/134.out @@ -0,0 +1,5 @@ +QA output created by 134 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/xfs/group b/tests/xfs/group index 5b872d9772..1aaf920920 100644 --- a/tests/xfs/group +++ b/tests/xfs/group @@ -130,6 +130,8 @@ 130 fuzzers clone 131 auto quick clone 132 auto quick clone +133 dangerous_fuzzers +134 dangerous_fuzzers 135 auto logprint quick v2log 136 attr2 137 auto metadata v2log |