From: David Sterba <dsterba@suse.cz>
To: "Darrick J. Wong" <darrick.wong@oracle.com>
Cc: guaneryu@gmail.com, linux-xfs@vger.kernel.org, fstests@vger.kernel.org
Subject: Re: [PATCH 4/3] generic: posix acl extended attribute memory corruption test
Date: Wed, 20 Feb 2019 14:29:52 +0100 [thread overview]
Message-ID: <20190220132952.GW9874@twin.jikos.cz> (raw)
In-Reply-To: <20190213204814.GB6477@magnolia>
On Wed, Feb 13, 2019 at 12:48:14PM -0800, Darrick J. Wong wrote:
> --- /dev/null
> +++ b/src/t_attr_corruption.c
> @@ -0,0 +1,122 @@
> +// SPDX-License-Identifier: GPL-2.0+
> +/*
> + * Copyright (C) 2019 Oracle. All Rights Reserved.
> + * Author: Darrick J. Wong <darrick.wong@oracle.com>
> + *
> + * Test program to tickle a use-after-free bug in xfs.
> + *
> + * XFS had a use-after-free bug when xfs_xattr_put_listent runs out of
> + * listxattr buffer space while trying to store the name
> + * "system.posix_acl_access" and then corrupts memory by not checking the
> + * seen_enough state and then trying to shove "trusted.SGI_ACL_FILE" into the
> + * buffer as well.
> + *
> + * In order to tickle the bug in a user visible way we must have already put a
> + * name in the buffer, so we take advantage of the fact that "security.evm"
> + * sorts before "system.posix_acl_access" to make sure this happens.
> + *
> + * If we trigger the bug, the program will print the garbled string
> + * "rusted.SGI_ACL_FILE". If the bug is fixed, the flistxattr call returns
> + * ERANGE.
> + */
> +#include <sys/types.h>
> +#include <sys/stat.h>
> +#include <fcntl.h>
> +#include <stdlib.h>
> +#include <stdio.h>
> +#include <string.h>
> +#include <stdint.h>
> +#include <unistd.h>
> +#include <attr/xattr.h>
This does not compile on some systems, sys/xattr.h works (it's provided
by glibc) and is also used by other fstests' sources. I'm not sure where
does attr/xattr.h come from, my devel package for libattr provides only
attr/libattr.h.
next prev parent reply other threads:[~2019-02-20 13:28 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-12 2:17 [PATCH 0/3] fstests: fixes and new tests Darrick J. Wong
2019-02-12 2:17 ` [PATCH 1/3] common: fix kmemleak to work with sections Darrick J. Wong
2019-02-12 2:17 ` [PATCH 2/3] common: fix _require_btime for lazy filesystems Darrick J. Wong
2019-02-12 2:17 ` [PATCH 3/3] generic: check for reasonable inode creation time Darrick J. Wong
2019-02-13 20:48 ` [PATCH 4/3] generic: posix acl extended attribute memory corruption test Darrick J. Wong
2019-02-16 12:05 ` Eryu Guan
2019-02-16 17:24 ` Darrick J. Wong
2019-02-20 13:29 ` David Sterba [this message]
2019-02-20 14:09 ` Holger Hoffstätte
2019-02-20 18:58 ` Darrick J. Wong
2019-02-25 18:57 ` Jeff Mahoney
2019-02-25 21:00 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190220132952.GW9874@twin.jikos.cz \
--to=dsterba@suse.cz \
--cc=darrick.wong@oracle.com \
--cc=fstests@vger.kernel.org \
--cc=guaneryu@gmail.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox