[SRU][T][PATCH 0/1] CVE-2016-10741 - Local DoS in XFS
Tyler Hicks
tyhicks at canonical.com
Wed Feb 20 15:06:01 UTC 2019
On 2019-02-20 22:53:29, Hui Wang wrote:
> On 2019/2/19 下午8:48, Tyler Hicks wrote:
> > On 2019-02-19 19:32:56, Hui Wang wrote:
> > > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10741.html
> > >
> > > In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to
> > > cause a denial of service (system crash) because there is a race condition
> > > between direct and memory-mapped I/O (associated with a hole) that is
> > > handled with BUG_ON instead of an I/O failure.
> > >
> > > This issue is only for trusty kernel. The original patch context is different
> > > from the trusty kernel, I backported this patch rather than cherry-picked.
> > >
> > > I think the backport is safe since the logic is same as the original
> > > patch (if there are both direct and mapped-IO access for a file at the same
> > > time, don't BUG_ON() unconditionally, instead we will return EIO or
> > > WARN_ON_ONCE() conditionally).
> > >
> > > building test pass.
> > >
> > > I generated a xfs filesytem based on a file (dd, mount and mkfs.xfs) and did
> > > some basic file operations (generate a new file, write sth in
> > > this file, read out from this file, delete this file), everthing
> > > works fine as before.
> > Thanks for working on this fix. Would you be able to run the test
> > mentioned in the commit message of the fix?
> >
> > https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/tests/generic/095
> >
> > Thanks!
>
> I ran the test case above under the original trusty kernel, could not
> reproduce the issue (trigger the BUG_ON(1)) . And after running the test
> case, it will hang somewhere, but I can confirm the hang is not related to
> this cve, since when it hangs, it is not in the function of
> __xfs_get_blocks(), and I tested 3.16 and 3.19 kernel (they all have this
> cve issue), they all don't hang and can't trigger the BUG_ON(1) in the
> __xfs_get_blocks().
Can you clarify if the test hangs in these situations:
1) without your backport applied
2) with your backport applied
Tyler
>
> The test steps I did:
>
> boot a trusty linux in the kvm
>
> dd if=/dev/zero of=./test1.img bs=1M count=100
> mkfs.xfs ./test1.img
> sudo losetup /dev/loop1 ./test1.img
>
> dd if=/dev/zero of=./test.img bs=1M count=100
> mkfs.xfs ./test.img
> sudo losetup /dev/loop0 ./test.img
>
> sudo su
>
> export TEST_DIR=/mnt
> export TEST_DEV=/dev/loop1
> export SCRATCH_MNT=/scrat
> export SCRATCH_DEV=/dev/loop0
>
> /var/lib/xfstests/check generic/095
>
>
> > Tyler
> >
> > > Brian Foster (1):
> > > xfs: don't BUG() on mixed direct and mapped I/O
> > >
> > > fs/xfs/xfs_aops.c | 21 ++++++++++++++++++++-
> > > 1 file changed, 20 insertions(+), 1 deletion(-)
> > >
> > > --
> > > 2.17.1
> > >
> > >
> > > --
> > > kernel-team mailing list
> > > kernel-team at lists.ubuntu.com
> > > https://lists.ubuntu.com/mailman/listinfo/kernel-team
>
>
More information about the kernel-team
mailing list