[SRU][T][PATCH 0/1] CVE-2016-10741 - Local DoS in XFS
Hui Wang
hui.wang at canonical.com
Wed Feb 20 15:08:58 UTC 2019
On 2019/2/20 下午11:06, Tyler Hicks wrote:
> On 2019-02-20 22:53:29, Hui Wang wrote:
>> On 2019/2/19 下午8:48, Tyler Hicks wrote:
>>> On 2019-02-19 19:32:56, Hui Wang wrote:
>>>> https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10741.html
>>>>
>>>> In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to
>>>> cause a denial of service (system crash) because there is a race condition
>>>> between direct and memory-mapped I/O (associated with a hole) that is
>>>> handled with BUG_ON instead of an I/O failure.
>>>>
>>>> This issue is only for trusty kernel. The original patch context is different
>>>> from the trusty kernel, I backported this patch rather than cherry-picked.
>>>>
>>>> I think the backport is safe since the logic is same as the original
>>>> patch (if there are both direct and mapped-IO access for a file at the same
>>>> time, don't BUG_ON() unconditionally, instead we will return EIO or
>>>> WARN_ON_ONCE() conditionally).
>>>>
>>>> building test pass.
>>>>
>>>> I generated a xfs filesytem based on a file (dd, mount and mkfs.xfs) and did
>>>> some basic file operations (generate a new file, write sth in
>>>> this file, read out from this file, delete this file), everthing
>>>> works fine as before.
>>> Thanks for working on this fix. Would you be able to run the test
>>> mentioned in the commit message of the fix?
>>>
>>> https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/tests/generic/095
>>>
>>> Thanks!
>> I ran the test case above under the original trusty kernel, could not
>> reproduce the issue (trigger the BUG_ON(1)) . And after running the test
>> case, it will hang somewhere, but I can confirm the hang is not related to
>> this cve, since when it hangs, it is not in the function of
>> __xfs_get_blocks(), and I tested 3.16 and 3.19 kernel (they all have this
>> cve issue), they all don't hang and can't trigger the BUG_ON(1) in the
>> __xfs_get_blocks().
> Can you clarify if the test hangs in these situations:
>
> 1) without your backport applied
> 2) with your backport applied
It will hang both with and without the backported patch.
> Tyler
>
>> The test steps I did:
>>
>> boot a trusty linux in the kvm
>>
>> dd if=/dev/zero of=./test1.img bs=1M count=100
>> mkfs.xfs ./test1.img
>> sudo losetup /dev/loop1 ./test1.img
>>
>> dd if=/dev/zero of=./test.img bs=1M count=100
>> mkfs.xfs ./test.img
>> sudo losetup /dev/loop0 ./test.img
>>
>> sudo su
>>
>> export TEST_DIR=/mnt
>> export TEST_DEV=/dev/loop1
>> export SCRATCH_MNT=/scrat
>> export SCRATCH_DEV=/dev/loop0
>>
>> /var/lib/xfstests/check generic/095
>>
>>
>>> Tyler
>>>
>>>> Brian Foster (1):
>>>> xfs: don't BUG() on mixed direct and mapped I/O
>>>>
>>>> fs/xfs/xfs_aops.c | 21 ++++++++++++++++++++-
>>>> 1 file changed, 20 insertions(+), 1 deletion(-)
>>>>
>>>> --
>>>> 2.17.1
>>>>
>>>>
>>>> --
>>>> kernel-team mailing list
>>>> kernel-team at lists.ubuntu.com
>>>> https://lists.ubuntu.com/mailman/listinfo/kernel-team
>>
More information about the kernel-team
mailing list