From: Darrick J. Wong Date: Mon, 9 Jan 2017 20:55:18 +0000 (-0800) Subject: xfs/ext4: check negative inode size X-Git-Tag: v2022.05.01~2231 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=466369dc92dea4d143c15574a406f0fad525585b;p=xfstests-dev.git xfs/ext4: check negative inode size Craft a malicious filesystem image with a negative inode size, then try to trigger a kernel DoS by appending data to the file. Ideally this should trigger verifier errors instead of hanging. Signed-off-by: Darrick J. Wong Reviewed-by: Eryu Guan Signed-off-by: Eryu Guan --- diff --git a/tests/shared/005 b/tests/shared/005 new file mode 100755 index 00000000..2fca9110 --- /dev/null +++ b/tests/shared/005 @@ -0,0 +1,75 @@ +#! /bin/bash +# FSQA Test No. 400 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a buffered append to make +# sure we catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs ext2 ext3 ext4 +_require_scratch_nocheck +_disable_dmesg_check +_require_command "$DEBUGFS_PROG" + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a + +echo "Corrupt filesystem" +_scratch_unmount +$DEBUGFS_PROG -w -R "sif /a size -1" $SCRATCH_DEV >> $seqres.full 2>&1 + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/shared/005.out b/tests/shared/005.out new file mode 100644 index 00000000..06e3fcdc --- /dev/null +++ b/tests/shared/005.out @@ -0,0 +1,5 @@ +QA output created by 005 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/shared/007 b/tests/shared/007 new file mode 100755 index 00000000..c6f25201 --- /dev/null +++ b/tests/shared/007 @@ -0,0 +1,77 @@ +#! /bin/bash +# FSQA Test No. 401 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a dio append to make sure we +# catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs ext2 ext3 ext4 +_require_scratch_nocheck +_disable_dmesg_check +_require_command "$DEBUGFS_PROG" + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a + +echo "Corrupt filesystem" +_scratch_unmount +# Set the file size to the highest multiple of 512 below +# -1 so that we can perform a dio write. +$DEBUGFS_PROG -w -R "sif /a size 0xFFFFFFFFFFFFFE00" $SCRATCH_DEV >> $seqres.full 2>&1 + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/shared/007.out b/tests/shared/007.out new file mode 100644 index 00000000..3afba59a --- /dev/null +++ b/tests/shared/007.out @@ -0,0 +1,5 @@ +QA output created by 007 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/shared/group b/tests/shared/group index 55bb5947..fab93315 100644 --- a/tests/shared/group +++ b/tests/shared/group @@ -7,7 +7,9 @@ 002 auto metadata quick 003 auto quick 004 auto quick +005 dangerous_fuzzers 006 auto enospc +007 dangerous_fuzzers 032 mkfs auto quick 051 acl udf auto quick 272 auto enospc rw diff --git a/tests/xfs/133 b/tests/xfs/133 new file mode 100755 index 00000000..fcaaa39e --- /dev/null +++ b/tests/xfs/133 @@ -0,0 +1,75 @@ +#! /bin/bash +# FSQA Test No. 400 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a buffered append to make +# sure we catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs xfs +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a +inum=$(stat -c "%i" $testdir/a) + +echo "Corrupt filesystem" +_scratch_unmount +_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -1' >> $seqres.full + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/xfs/133.out b/tests/xfs/133.out new file mode 100644 index 00000000..4c8fbafc --- /dev/null +++ b/tests/xfs/133.out @@ -0,0 +1,5 @@ +QA output created by 133 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/xfs/134 b/tests/xfs/134 new file mode 100755 index 00000000..d2990800 --- /dev/null +++ b/tests/xfs/134 @@ -0,0 +1,77 @@ +#! /bin/bash +# FSQA Test No. 401 +# +# Since loff_t is a signed type, it is invalid for a filesystem to load +# an inode with i_size = -1ULL. Unfortunately, nobody checks this, +# which means that we can trivially DoS the VFS by creating such a file +# and appending to it. This causes an integer overflow in the routines +# underlying writeback, which results in the kernel locking up. +# +# So, create this malformed inode and try a dio append to make sure we +# catch this situation. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Oracle, Inc. All Rights Reserved. +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +PIDS="" +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter + +# real QA test starts here +_supported_os Linux +_supported_fs xfs +_require_scratch_nocheck +_disable_dmesg_check + +rm -f $seqres.full + +echo "Format and mount" +_scratch_mkfs >> $seqres.full 2>&1 +_scratch_mount + +testdir=$SCRATCH_MNT +echo m > $testdir/a +inum=$(stat -c "%i" $testdir/a) + +echo "Corrupt filesystem" +_scratch_unmount +# Set the file size to the highest multiple of 512 below +# -1 so that we can perform a dio write. +_scratch_xfs_db -x -c "inode ${inum}" -c 'write core.size -- -512' >> $seqres.full + +echo "Remount, try to append" +_scratch_mount +dd if=/dev/zero of=$testdir/a bs=512 count=1 oflag=direct,append conv=notrunc >> $seqres.full 2>&1 || echo "Write did not succeed (ok)." +sync + +# success, all done +status=0 +exit diff --git a/tests/xfs/134.out b/tests/xfs/134.out new file mode 100644 index 00000000..2f7ab19a --- /dev/null +++ b/tests/xfs/134.out @@ -0,0 +1,5 @@ +QA output created by 134 +Format and mount +Corrupt filesystem +Remount, try to append +Write did not succeed (ok). diff --git a/tests/xfs/group b/tests/xfs/group index 5b872d97..1aaf9209 100644 --- a/tests/xfs/group +++ b/tests/xfs/group @@ -130,6 +130,8 @@ 130 fuzzers clone 131 auto quick clone 132 auto quick clone +133 dangerous_fuzzers +134 dangerous_fuzzers 135 auto logprint quick v2log 136 attr2 137 auto metadata v2log