xfs/ext4: check negative inode size

Craft a malicious filesystem image with a negative inode size,
then try to trigger a kernel DoS by appending data to the file.
Ideally this should trigger verifier errors instead of hanging.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Eryu Guan <eguan@redhat.com>
Signed-off-by: Eryu Guan <eguan@redhat.com>

10 files changed, 328 insertions, 0 deletions

diff --git a/tests/shared/005 b/tests/shared/005
new file mode 100755
index 0000000000..2fca911060
--- /dev/null
+++ b/tests/shared/005
@@ -0,0 +1,75 @@
+#! /bin/bash
+# FSQA Test No. 400
+#
+# Since loff_t is a signed type, it is invalid for a filesystem to load
+# an inode with i_size = -1ULL.  Unfortunately, nobody checks this,
+# which means that we can trivially DoS the VFS by creating such a file
+# and appending to it.  This causes an integer overflow in the routines
+# underlying writeback, which results in the kernel locking up.
+#
+# So, create this malformed inode and try a buffered append to make
+# sure we catch this situation.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2017 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+PIDS=""
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs ext2 ext3 ext4
+_require_scratch_nocheck
+_disable_dmesg_check
+_require_command "$DEBUGFS_PROG"
+
+rm -f $seqres.full
+
+echo "Format and mount"
+_scratch_mkfs  >> $seqres.full 2>&1
+_scratch_mount
+
+testdir=$SCRATCH_MNT
+echo m > $testdir/a
+
+echo "Corrupt filesystem"
+_scratch_unmount
+$DEBUGFS_PROG -w -R "sif /a size -1" $SCRATCH_DEV >> $seqres.full 2>&1
+
+echo "Remount, try to append"
+_scratch_mount
+dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)."
+sync
+
+# success, all done
+status=0
+exit
diff --git a/tests/shared/005.out b/tests/shared/005.out
new file mode 100644
index 0000000000..06e3fcdc83
--- /dev/null
+++ b/tests/shared/005.out
@@ -0,0 +1,5 @@
+QA output created by 005
+Format and mount
+Corrupt filesystem
+Remount, try to append
+Write did not succeed (ok).
diff --git a/tests/shared/007 b/tests/shared/007
new file mode 100755
index 0000000000..c6f2520185
--- /dev/null
+++ b/tests/shared/007
@@ -0,0 +1,77 @@
+#! /bin/bash
+# FSQA Test No. 401
+#
+# Since loff_t is a signed type, it is invalid for a filesystem to load
+# an inode with i_size = -1ULL.  Unfortunately, nobody checks this,
+# which means that we can trivially DoS the VFS by creating such a file
+# and appending to it.  This causes an integer overflow in the routines
+# underlying writeback, which results in the kernel locking up.
+#
+# So, create this malformed inode and try a dio append to make sure we
+# catch this situation.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2017 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+PIDS=""
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs ext2 ext3 ext4
+_require_scratch_nocheck
+_disable_dmesg_check
+_require_command "$DEBUGFS_PROG"
+
+rm -f $seqres.full
+
+echo "Format and mount"
+_scratch_mkfs  >> $seqres.full 2>&1
+_scratch_mount
+
+testdir=$SCRATCH_MNT
+echo m > $testdir/a
+
+echo "Corrupt filesystem"
+_scratch_unmount
+# Set the file size to the highest multiple of 512 below
+# -1 so that we can perform a dio write.
+$DEBUGFS_PROG -w -R "sif /a size 0xFFFFFFFFFFFFFE00" $SCRATCH_DEV >> $seqres.full 2>&1
+
+echo "Remount, try to append"
+_scratch_mount
+dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)."
+sync
+
+# success, all done
+status=0
+exit
diff --git a/tests/shared/007.out b/tests/shared/007.out
new file mode 100644
index 0000000000..3afba59a59
--- /dev/null
+++ b/tests/shared/007.out
@@ -0,0 +1,5 @@
+QA output created by 007
+Format and mount
+Corrupt filesystem
+Remount, try to append
+Write did not succeed (ok).
diff --git a/tests/shared/group b/tests/shared/group
index 55bb594737..fab933159f 100644
--- a/tests/shared/group
+++ b/tests/shared/group
@@ -7,7 +7,9 @@
 002 auto metadata quick
 003 auto quick
 004 auto quick
+005 dangerous_fuzzers
 006 auto enospc
+007 dangerous_fuzzers
 032 mkfs auto quick
 051 acl udf auto quick
 272 auto enospc rw
diff --git a/tests/xfs/133 b/tests/xfs/133
new file mode 100755
index 0000000000..fcaaa39e20
--- /dev/null
+++ b/tests/xfs/133
@@ -0,0 +1,75 @@
+#! /bin/bash
+# FSQA Test No. 400
+#
+# Since loff_t is a signed type, it is invalid for a filesystem to load
+# an inode with i_size = -1ULL.  Unfortunately, nobody checks this,
+# which means that we can trivially DoS the VFS by creating such a file
+# and appending to it.  This causes an integer overflow in the routines
+# underlying writeback, which results in the kernel locking up.
+#
+# So, create this malformed inode and try a buffered append to make
+# sure we catch this situation.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2017 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+PIDS=""
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_nocheck
+_disable_dmesg_check
+
+rm -f $seqres.full
+
+echo "Format and mount"
+_scratch_mkfs  >> $seqres.full 2>&1
+_scratch_mount
+
+testdir=$SCRATCH_MNT
+echo m > $testdir/a
+inum=$(stat -c "%i" $testdir/a)
+
+echo "Corrupt filesystem"
+_scratch_unmount
+_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -1' >> $seqres.full
+
+echo "Remount, try to append"
+_scratch_mount
+dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)."
+sync
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/133.out b/tests/xfs/133.out
new file mode 100644
index 0000000000..4c8fbafcbd
--- /dev/null
+++ b/tests/xfs/133.out
@@ -0,0 +1,5 @@
+QA output created by 133
+Format and mount
+Corrupt filesystem
+Remount, try to append
+Write did not succeed (ok).
diff --git a/tests/xfs/134 b/tests/xfs/134
new file mode 100755
index 0000000000..d2990800ba
--- /dev/null
+++ b/tests/xfs/134
@@ -0,0 +1,77 @@
+#! /bin/bash
+# FSQA Test No. 401
+#
+# Since loff_t is a signed type, it is invalid for a filesystem to load
+# an inode with i_size = -1ULL.  Unfortunately, nobody checks this,
+# which means that we can trivially DoS the VFS by creating such a file
+# and appending to it.  This causes an integer overflow in the routines
+# underlying writeback, which results in the kernel locking up.
+#
+# So, create this malformed inode and try a dio append to make sure we
+# catch this situation.
+#
+#-----------------------------------------------------------------------
+# Copyright (c) 2017 Oracle, Inc.  All Rights Reserved.
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it would be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write the Free Software Foundation,
+# Inc.,  51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#-----------------------------------------------------------------------
+
+seq=`basename $0`
+seqres=$RESULT_DIR/$seq
+echo "QA output created by $seq"
+
+PIDS=""
+tmp=/tmp/$$
+status=1	# failure is the default!
+trap "_cleanup; exit \$status" 0 1 2 3 15
+
+_cleanup()
+{
+	rm -f $tmp.*
+}
+
+# get standard environment, filters and checks
+. ./common/rc
+. ./common/filter
+
+# real QA test starts here
+_supported_os Linux
+_supported_fs xfs
+_require_scratch_nocheck
+_disable_dmesg_check
+
+rm -f $seqres.full
+
+echo "Format and mount"
+_scratch_mkfs  >> $seqres.full 2>&1
+_scratch_mount
+
+testdir=$SCRATCH_MNT
+echo m > $testdir/a
+inum=$(stat -c "%i" $testdir/a)
+
+echo "Corrupt filesystem"
+_scratch_unmount
+# Set the file size to the highest multiple of 512 below
+# -1 so that we can perform a dio write.
+_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -512' >> $seqres.full
+
+echo "Remount, try to append"
+_scratch_mount
+dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)."
+sync
+
+# success, all done
+status=0
+exit
diff --git a/tests/xfs/134.out b/tests/xfs/134.out
new file mode 100644
index 0000000000..2f7ab19ac4
--- /dev/null
+++ b/tests/xfs/134.out
@@ -0,0 +1,5 @@
+QA output created by 134
+Format and mount
+Corrupt filesystem
+Remount, try to append
+Write did not succeed (ok).
diff --git a/tests/xfs/group b/tests/xfs/group
index 5b872d9772..1aaf920920 100644
--- a/tests/xfs/group
+++ b/tests/xfs/group
@@ -130,6 +130,8 @@
 130 fuzzers clone
 131 auto quick clone
 132 auto quick clone
+133 dangerous_fuzzers
+134 dangerous_fuzzers
 135 auto logprint quick v2log
 136 attr2
 137 auto metadata v2log