From: Wei Gao via ltp <ltp@lists.linux.it>
To: Petr Vorel <pvorel@suse.cz>
Cc: ltp@lists.linux.it, rpalethorpe@suse.com
Subject: Re: [LTP] [PATCH v4] fsconfig03: New test CVE-2022-0185
Date: Fri, 17 Feb 2023 04:19:14 -0500 [thread overview]
Message-ID: <20230217091914.GA14295@localhost> (raw)
In-Reply-To: <Y+8/CHVbHycW1+Gv@pevik>
On Fri, Feb 17, 2023 at 09:47:04AM +0100, Petr Vorel wrote:
> Hi all,
>
> I've tested various kernels, it looks like test works as expected
> (older unpatched kernel fails, newer works, very old ones TCONF).
Thanks for great work!
>
> > There are reproducers available for CVE-2022-0185
> > https://www.openwall.com/lists/oss-security/2022/01/25/14
>
> > Also with links or even a zip file for an exploit
> > https://github.com/Crusaders-of-Rust/CVE-2022-0185
>
> > The exploits are kind of complicated as they try to be complete,
> > but the exploitation vector is the fsconfig() syscall,
> > this case used for add some coverage to that to detect it.
>
> > When kernel < v5.15.16, you can easily reproduce crash use test case
> > without check error and return logic in loop.
>
> > I have used this test case trigger 5.14.1 kernel crash with ext2/4.
>
> > Just make sure your kernel have not patched by following two commits:
> > e192ccc17ecf3 - fix up param length parsing in legacy_parse_param
> FYI: commit 722d94847de29310e8aa03fcbdb41fc92c521756 upstream.
> => that's a backport of 722d94847de29 we have in .tags in 5.15 stable branch.
> This is not obvious, because the hash is different; also hash will be
> different for for other kernel stable branches, e.g. in 5.10 stable it's
> backported into eadde287a62e66b2f9e62d007c59a8f50d4b8413.
>
> This is misleading, I first wondered if e192ccc17ecf3 shouldn't be in tags
> (it shouldn't because it's a backport of 722d94847de29 => we don't put backports
> there: "We don’t track all backports to stable kernel but just those which are
> stable branch specific (unique), i.e. no commit in mainline. Example of commits:
> c4a23c852e80, cac68d12c531." [1]).
>
> Therefore I'd remove this whole section ("Just make sure...").
>
No problem for me.
> > cebe85d570cf8 - ext4: switch to the new mount api
>
> I suppose test is now working as expected regardless kernel uses
> the old mount API or the new one (from cebe85d570cf8), right?
> Is this comment up to date?
This commit can impact test result in a very small window, in theory if you test kernel version
between v5.15.16 ~ v5.17-rc1 for ext2/3/4, fsconfig will not give error until buffer size reach
a page size.
git describe --contains e192ccc17ecf3 //fix for legacy_parse_param
v5.15.16~24
git describe --contains cebe85d570cf8 //fix for switch new parse function
v5.17-rc1~131^2~36
>
> Also, nit: kernel commits are usually put in form of hash ("..."), i.e.
> e192ccc17ecf ("vfs: fs_context: fix up param length parsing in legacy_parse_param")
>
> Kind regards,
> Petr
>
> [1] https://github.com/linux-test-project/ltp/wiki/C-Test-API#138-test-tags
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2023-02-17 9:19 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-29 11:50 [LTP] [PATCH v1] fsconfig: New case cover CVE-2022-0185 Wei Gao via ltp
2023-02-01 12:49 ` Petr Vorel
2023-02-06 10:38 ` Wei Gao via ltp
2023-02-06 16:19 ` Petr Vorel
2023-02-08 9:01 ` Wei Gao via ltp
2023-02-08 15:48 ` Petr Vorel
2023-02-09 2:25 ` Wei Gao via ltp
2023-02-09 10:10 ` Cyril Hrubis
2023-02-09 11:37 ` Wei Gao via ltp
2023-02-06 16:42 ` Wei Gao via ltp
2023-02-09 13:19 ` [LTP] [PATCH v2] " Wei Gao via ltp
2023-02-09 14:15 ` Petr Vorel
2023-02-09 14:27 ` Cyril Hrubis
2023-02-09 14:40 ` Petr Vorel
2023-02-09 14:53 ` Cyril Hrubis
2023-02-09 14:35 ` Petr Vorel
2023-02-09 14:52 ` Cyril Hrubis
2023-02-09 15:18 ` Petr Vorel
2023-02-10 8:22 ` Wei Gao via ltp
2023-02-10 9:00 ` Wei Gao via ltp
2023-02-13 1:09 ` [LTP] [PATCH v3] fsconfig03: New test CVE-2022-0185 Wei Gao via ltp
2023-02-14 11:05 ` Richard Palethorpe
2023-02-16 9:42 ` Wei Gao via ltp
2023-02-16 12:09 ` Richard Palethorpe
2023-02-16 12:54 ` Wei Gao via ltp
2023-02-16 23:52 ` [LTP] [PATCH v4] " Wei Gao via ltp
2023-02-17 7:48 ` Petr Vorel
2023-02-17 8:47 ` Petr Vorel
2023-02-17 9:19 ` Wei Gao via ltp [this message]
2023-02-27 16:20 ` Richard Palethorpe
2023-02-28 3:22 ` [LTP] [PATCH v5] " Wei Gao via ltp
2023-02-28 3:27 ` [LTP] [PATCH v6] " Wei Gao via ltp
2023-02-28 8:49 ` Richard Palethorpe
2023-03-01 13:46 ` Martin Doucha
2023-03-01 14:12 ` Wei Gao via ltp
2023-03-02 1:45 ` [LTP] [PATCH v7] fsconfig03: SKIP check return value for old kernel Wei Gao via ltp
2023-03-02 10:00 ` Petr Vorel
2023-03-02 10:45 ` Wei Gao via ltp
2023-03-02 10:03 ` Petr Vorel
2023-03-04 2:03 ` [LTP] [PATCH v8] " Wei Gao via ltp
2023-03-07 9:23 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230217091914.GA14295@localhost \
--to=ltp@lists.linux.it \
--cc=pvorel@suse.cz \
--cc=rpalethorpe@suse.com \
--cc=wegao@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.