From: Petr Vorel <pvorel@suse.cz>
To: Wei Gao <wegao@suse.com>
Cc: Richard Palethorpe <rpalethorpe@suse.com>, ltp@lists.linux.it
Subject: Re: [LTP] [PATCH v2] fsconfig: New case cover CVE-2022-0185
Date: Thu, 9 Feb 2023 15:15:44 +0100 [thread overview]
Message-ID: <Y+UAENJVDUSDPAay@pevik> (raw)
In-Reply-To: <20230209131902.12260-1-wegao@suse.com>
Hi Wei,
There is still problem with ntfs:
tst_test.c:1634: TINFO: === Testing on ntfs ===
tst_test.c:1093: TINFO: Formatting /dev/loop0 with ntfs opts='' extra opts=''
The partition start sector was not specified for /dev/loop0 and it could not be obtained automatically. It has been set to 0.
The number of sectors per track was not specified for /dev/loop0 and it could not be obtained automatically. It has been set to 0.
The number of heads was not specified for /dev/loop0 and it could not be obtained automatically. It has been set to 0.
To boot from a device, Windows needs the 'partition start sector', the 'sectors per track' and the 'number of heads' to be set.
Windows will not be able to boot from this device.
fsconfig03.c:29: TBROK: fsopen() failed: ENODEV (19)
Therefore I'd skip it:
.skip_filesystems = (const char *const []){"ntfs", NULL},
> There are reproducers available for CVE-2022-0185
> https://www.openwall.com/lists/oss-security/2022/01/25/14
nit: I'd also change the commit message subject (i.e. first line) to something like
"fsconfig03: New test CVE-2022-0185"
(have taht 03)
> has links or even a zip file for an exploit
> https://github.com/Crusaders-of-Rust/CVE-2022-0185
nit: also add blank line here (readability).
> The exploits are kind of complicated as they try to be complete,
> but the exploitation vector is the fsconfig() syscall,
> this case used for add some coverage to that to detect it.
> Signed-off-by: Wei Gao <wegao@suse.com>
...
> +++ b/runtest/syscalls
> @@ -383,6 +383,7 @@ fremovexattr02 fremovexattr02
> fsconfig01 fsconfig01
> fsconfig02 fsconfig02
> +fsconfig03 fsconfig03
There should be *also* entry in runtest/cve:
CVE-2022-0185 fsconfig03
...
> +++ b/testcases/kernel/syscalls/fsconfig/fsconfig03.c
> @@ -0,0 +1,64 @@
> +// SPDX-License-Identifier: GPL-2.0-or-later
> +/*
> + * Copyright (c) 2023 Wei Gao <wegao@suse.com>
If you used code from elsewhere (although rewritten), you should add the
copyright of the author.
> + */
> +
> +/*\
> + * [Description]
> + *
> + * Test add some coverage to CVE-2022-0185.
> + * Try to trigger a crash.
> + * References links:
> + * https://www.openwall.com/lists/oss-security/2022/01/25/14
> + * https://github.com/Crusaders-of-Rust/CVE-2022-0185
> + */
I suggest something like this (you would understand me if you had run 'cd
metadata && make' and then had ../looked at resulted ../docparse/metadata.html):
/*\
* [Description]
*
* Test for CVE-2022-0185.
*
* References links:
* - https://www.openwall.com/lists/oss-security/2022/01/25/14
* - https://github.com/Crusaders-of-Rust/CVE-2022-0185
*/
> +
> +#include "tst_test.h"
> +#include "lapi/fsmount.h"
> +
> +#define MNTPOINT "mntpoint"
> +
> +static int fd = -1;
> +
> +static void setup(void)
> +{
> + fsopen_supported_by_kernel();
> +
> + TEST(fd = fsopen(tst_device->fs_type, 0));
> + if (fd == -1)
> + tst_brk(TBROK | TTERRNO, "fsopen() failed");
> +
> +}
> +
> +static void cleanup(void)
> +{
> + if (fd != -1)
> + SAFE_CLOSE(fd);
> +}
> +
> +static void run(void)
> +{
> + char *val = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
> +
> + for (unsigned int i = 0; i < 5000; i++)
> + TEST(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0));
@Richie, interesting, make check cannot detect FSCONFIG_SET_STRING
(from <linux/mount.h> or <sys/mount.h>):
CHECK testcases/kernel/syscalls/fsconfig/fsconfig03.c
fsconfig03.c:44:17: error: undefined identifier 'FSCONFIG_SET_STRING'
> +
> + tst_res(TPASS | TTERRNO, "Try fsconfig overflow on %s done! Failed as expected", tst_device->fs_type);
> +}
> +
> +static struct tst_test test = {
> + .test_all = run,
> + .setup = setup,
> + .cleanup = cleanup,
> + .needs_root = 1,
> + .format_device = 1,
> + .mntpoint = MNTPOINT,
> + .all_filesystems = 1,
> + .min_kver = "5.17",
You probably add it because 722d94847de29 comes from 5.17-rc1, but that should
go away, because this fix has been backported to (at least) sles kernels (which
are older).
> + .tags = (const struct tst_tag[]) {
> + {"linux-git", "722d94847de29"},
> + {"CVE", "2020-29373"},
IMHO CVE-2020-29373 is about io_uring
https://nvd.nist.gov/vuln/detail/CVE-2020-29373
Does it really belong to this test? If yes, it has another kernel fix.
And you don't mention it in docparse description.
> + {"CVE", "2022-0185"},
> + {}
> + }
> +};
--
Mailing list info: https://lists.linux.it/listinfo/ltp
next prev parent reply other threads:[~2023-02-09 14:16 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-29 11:50 [LTP] [PATCH v1] fsconfig: New case cover CVE-2022-0185 Wei Gao via ltp
2023-02-01 12:49 ` Petr Vorel
2023-02-06 10:38 ` Wei Gao via ltp
2023-02-06 16:19 ` Petr Vorel
2023-02-08 9:01 ` Wei Gao via ltp
2023-02-08 15:48 ` Petr Vorel
2023-02-09 2:25 ` Wei Gao via ltp
2023-02-09 10:10 ` Cyril Hrubis
2023-02-09 11:37 ` Wei Gao via ltp
2023-02-06 16:42 ` Wei Gao via ltp
2023-02-09 13:19 ` [LTP] [PATCH v2] " Wei Gao via ltp
2023-02-09 14:15 ` Petr Vorel [this message]
2023-02-09 14:27 ` Cyril Hrubis
2023-02-09 14:40 ` Petr Vorel
2023-02-09 14:53 ` Cyril Hrubis
2023-02-09 14:35 ` Petr Vorel
2023-02-09 14:52 ` Cyril Hrubis
2023-02-09 15:18 ` Petr Vorel
2023-02-10 8:22 ` Wei Gao via ltp
2023-02-10 9:00 ` Wei Gao via ltp
2023-02-13 1:09 ` [LTP] [PATCH v3] fsconfig03: New test CVE-2022-0185 Wei Gao via ltp
2023-02-14 11:05 ` Richard Palethorpe
2023-02-16 9:42 ` Wei Gao via ltp
2023-02-16 12:09 ` Richard Palethorpe
2023-02-16 12:54 ` Wei Gao via ltp
2023-02-16 23:52 ` [LTP] [PATCH v4] " Wei Gao via ltp
2023-02-17 7:48 ` Petr Vorel
2023-02-17 8:47 ` Petr Vorel
2023-02-17 9:19 ` Wei Gao via ltp
2023-02-27 16:20 ` Richard Palethorpe
2023-02-28 3:22 ` [LTP] [PATCH v5] " Wei Gao via ltp
2023-02-28 3:27 ` [LTP] [PATCH v6] " Wei Gao via ltp
2023-02-28 8:49 ` Richard Palethorpe
2023-03-01 13:46 ` Martin Doucha
2023-03-01 14:12 ` Wei Gao via ltp
2023-03-02 1:45 ` [LTP] [PATCH v7] fsconfig03: SKIP check return value for old kernel Wei Gao via ltp
2023-03-02 10:00 ` Petr Vorel
2023-03-02 10:45 ` Wei Gao via ltp
2023-03-02 10:03 ` Petr Vorel
2023-03-04 2:03 ` [LTP] [PATCH v8] " Wei Gao via ltp
2023-03-07 9:23 ` Petr Vorel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y+UAENJVDUSDPAay@pevik \
--to=pvorel@suse.cz \
--cc=ltp@lists.linux.it \
--cc=rpalethorpe@suse.com \
--cc=wegao@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.