On Mon, Jan 09, 2017 at 12:55:18PM -0800, Darrick J. Wong wrote:
> Craft a malicious filesystem image with a negative inode size,
> then try to trigger a kernel DoS by appending data to the file.
> Ideally this should trigger verifier errors instead of hanging.
>
> Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
> ---
> v2: use $DEBUGFS_PROG instead of debugfs; improve documentation
Thanks for all the updated patches! I fixed a minor typo locally and
committed.
> diff --git a/tests/shared/401 b/tests/shared/401
> new file mode 100755
> index 0000000..7b61cbb
> --- /dev/null
> +++ b/tests/shared/401
> @@ -0,0 +1,77 @@
> +#! /bin/bash
> +# FSQA Test No. 401
> +#
> +# Since loff_t is a signed type, it is invalid for a filesystem to load
> +# an inode with i_size = -1ULL. Unfortunately, nobody checks this,
> +# which means that we can trivially DoS the VFS by creating such a file
> +# and appending to it. This causes an integer overflow in the routines
> +# underlying writeback, which results in the kernel locking up.
> +#
> +# So, create this malformed inode and try a buffered dio append to make
^^^^^^^^
I removed the "buffered" here and from xfs/401.
Thanks,
Eryu
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
