[LTP] [PATCH v6] fsconfig03: New test CVE-2022-0185
Wei Gao
wegao@suse.com
Wed Mar 1 15:12:22 CET 2023
On Wed, Mar 01, 2023 at 02:46:16PM +0100, Martin Doucha wrote:
> Hi,
>
> On 28. 02. 23 4:27, Wei Gao via ltp wrote:
> > + for (size_t i = 0; i < 5000; i++) {
> > + /* use same logic in kernel legacy_parse_param function */
> > + const size_t len = i * (strlen(val) + 2) + (strlen(val) + 1) + 2;
> > +
> > + if (!strcmp(tst_device->fs_type, "btrfs") && len <= (size_t)pagesize)
> > + TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0));
> > + else
> > + TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0),
> > + EINVAL);
> > + }
>
> This special case for Btrfs is wrong. Btrfs is just the last major
> filesystem which does not implement its own fsconfig() handlers in the
> latest kernel release. But on older kernels, the same applies to other
> filesystems as well.
>
For old kernel btrfs ONLY can update legacy_parse_param() so above logic will pass.
> Any other filesystem that still uses legacy_parse_param() and has the CVE
> fix applied will fail this test with exactly 117 error messages on x86.
> That's how many iterations it takes to fill 4KB buffer with the test string.
I expect most of other scenario will use new parse_param function instead of legacy_parse_param.
The security fix should use commit which change parse function instead of update old legacy_parse_param().
>
> --
> Martin Doucha mdoucha@suse.cz
> QA Engineer for Software Maintenance
> SUSE LINUX, s.r.o.
> CORSO IIa
> Krizikova 148/34
> 186 00 Prague 8
> Czech Republic
>
More information about the ltp
mailing list