[SRU][T][PATCH 0/1] CVE-2016-10741 - Local DoS in XFS

Hui Wang hui.wang at canonical.com
Wed Feb 20 14:53:29 UTC 2019


On 2019/2/19 下午8:48, Tyler Hicks wrote:
> On 2019-02-19 19:32:56, Hui Wang wrote:
>> https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10741.html
>>
>> In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to
>> cause a denial of service (system crash) because there is a race condition
>> between direct and memory-mapped I/O (associated with a hole) that is
>> handled with BUG_ON instead of an I/O failure.
>>
>> This issue is only for trusty kernel. The original patch context is different
>> from the trusty kernel, I backported this patch rather than cherry-picked.
>>
>> I think the backport is safe since the logic is same as the original
>> patch (if there are  both direct and mapped-IO access for a file at the same
>> time, don't BUG_ON() unconditionally, instead we will return EIO or
>> WARN_ON_ONCE() conditionally).
>>
>> building test pass.
>>
>> I generated a xfs filesytem based on a file (dd, mount and mkfs.xfs) and did
>> some basic file operations (generate a new file, write sth in
>> this file, read out from this file, delete this file), everthing
>> works fine as before.
> Thanks for working on this fix. Would you be able to run the test
> mentioned in the commit message of the fix?
>
>    https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/tests/generic/095
>
> Thanks!

I ran the test case above under the original trusty kernel, could not 
reproduce the issue (trigger the BUG_ON(1)) . And after running the test 
case, it will hang somewhere, but I can confirm the hang is not related 
to this cve, since when it hangs, it is not in the function of 
__xfs_get_blocks(),  and I tested 3.16 and 3.19 kernel (they all have 
this cve issue), they all don't hang and can't trigger the BUG_ON(1) in 
the __xfs_get_blocks().

The test steps I did:

boot a trusty linux in the kvm

dd if=/dev/zero of=./test1.img bs=1M count=100
mkfs.xfs ./test1.img
sudo losetup /dev/loop1 ./test1.img

  dd if=/dev/zero of=./test.img bs=1M count=100
  mkfs.xfs ./test.img
sudo losetup /dev/loop0 ./test.img

sudo su

export TEST_DIR=/mnt
export TEST_DEV=/dev/loop1
export SCRATCH_MNT=/scrat
export SCRATCH_DEV=/dev/loop0

/var/lib/xfstests/check generic/095


> Tyler
>
>> Brian Foster (1):
>>    xfs: don't BUG() on mixed direct and mapped I/O
>>
>>   fs/xfs/xfs_aops.c | 21 ++++++++++++++++++++-
>>   1 file changed, 20 insertions(+), 1 deletion(-)
>>
>> -- 
>> 2.17.1
>>
>>
>> -- 
>> kernel-team mailing list
>> kernel-team at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/kernel-team





More information about the kernel-team mailing list