On Wed, Feb 13, 2019 at 12:48:14PM -0800, Darrick J. Wong wrote: > --- /dev/null > +++ b/src/t_attr_corruption.c > @@ -0,0 +1,122 @@ > +// SPDX-License-Identifier: GPL-2.0+ > +/* > + * Copyright (C) 2019 Oracle. All Rights Reserved. > + * Author: Darrick J. Wong <darrick.wong@xxxxxxxxxx> > + * > + * Test program to tickle a use-after-free bug in xfs. > + * > + * XFS had a use-after-free bug when xfs_xattr_put_listent runs out of > + * listxattr buffer space while trying to store the name > + * "system.posix_acl_access" and then corrupts memory by not checking the > + * seen_enough state and then trying to shove "trusted.SGI_ACL_FILE" into the > + * buffer as well. > + * > + * In order to tickle the bug in a user visible way we must have already put a > + * name in the buffer, so we take advantage of the fact that "security.evm" > + * sorts before "system.posix_acl_access" to make sure this happens. > + * > + * If we trigger the bug, the program will print the garbled string > + * "rusted.SGI_ACL_FILE". If the bug is fixed, the flistxattr call returns > + * ERANGE. > + */ > +#include <sys/types.h> > +#include <sys/stat.h> > +#include <fcntl.h> > +#include <stdlib.h> > +#include <stdio.h> > +#include <string.h> > +#include <stdint.h> > +#include <unistd.h> > +#include <attr/xattr.h> This does not compile on some systems, sys/xattr.h works (it's provided by glibc) and is also used by other fstests' sources. I'm not sure where does attr/xattr.h come from, my devel package for libattr provides only attr/libattr.h.
