Re: [LTP] [PATCH v1] fsconfig: New case cover CVE-2022-0185

[Cyril Hrubis <chrubis@suse.cz>]

Hi!
> Let me explain more detail for this:
> 
> CVE-2022-0185 security bug popped up since 5.1-rc1 and fixed by 722d94847de29 in v5.17-rc1~50, so normally we should check build from v5.17.
> Most important thing is this security issue ONLY happen if fsconfig go through legacy_parse_param function(security issue happen and fixed within this function).
>
> But:
> For xfs filesystem, from v5.5-rc1 already start use xfs_fs_parse_param instead of  legacy_parse_param, so make no sense check this secruity issue
> For ext2&ext3&ext4, after patch cebe85d570cf8 in v5.17-rc1~131^2~36, use ext4_parse_param instead of legacy_parse_param, so also make no sense check 
> 
> In summary, we can reject this test case since from v5.17, ext2/ext4/xfs not go through legacy_parse_param and means we can not verify security fix 
> 722d94847de29(this fix happen in legacy_parse_param.)

Quite contrary it make sense to add regression tests for kernel and keep them
running on all filesystems and never releases since you never know when
similar mistake will make it into the kernel code again. It does not
make much sense to invest time into tests only to keep them disabled
later on.

More generally it makes sense to try to throw all kind of garbage
strings into fsconfig() and expect to get EINVAL or other sane behavior,
writing such tests is the only way to avoid or at least catch most CVEs
before they happen.

-- 
Cyril Hrubis
chrubis@suse.cz

-- 
Mailing list info: https://lists.linux.it/listinfo/ltp