Re: [LTP] [PATCH v1] fsconfig: New case cover CVE-2022-0185

[Wei Gao via ltp <ltp@lists.linux.it>]

On Thu, Feb 09, 2023 at 11:10:46AM +0100, Cyril Hrubis wrote:
> Hi!
> > Let me explain more detail for this:
> > 
> > CVE-2022-0185 security bug popped up since 5.1-rc1 and fixed by 722d94847de29 in v5.17-rc1~50, so normally we should check build from v5.17.
> > Most important thing is this security issue ONLY happen if fsconfig go through legacy_parse_param function(security issue happen and fixed within this function).
> >
> > But:
> > For xfs filesystem, from v5.5-rc1 already start use xfs_fs_parse_param instead of  legacy_parse_param, so make no sense check this secruity issue
> > For ext2&ext3&ext4, after patch cebe85d570cf8 in v5.17-rc1~131^2~36, use ext4_parse_param instead of legacy_parse_param, so also make no sense check 
> > 
> > In summary, we can reject this test case since from v5.17, ext2/ext4/xfs not go through legacy_parse_param and means we can not verify security fix 
> > 722d94847de29(this fix happen in legacy_parse_param.)
> 
> Quite contrary it make sense to add regression tests for kernel and keep them
> running on all filesystems and never releases since you never know when
> similar mistake will make it into the kernel code again. It does not
> make much sense to invest time into tests only to keep them disabled
> later on.
> 
> More generally it makes sense to try to throw all kind of garbage
> strings into fsconfig() and expect to get EINVAL or other sane behavior,
> writing such tests is the only way to avoid or at least catch most CVEs
> before they happen.
> 

Thanks for review this, i will update the case later.

> -- 
> Cyril Hrubis
> chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp