[LTP] [PATCH v6] fsconfig03: New test CVE-2022-0185

Wei Gao wegao@suse.com
Wed Mar 1 15:12:22 CET 2023


On Wed, Mar 01, 2023 at 02:46:16PM +0100, Martin Doucha wrote:
> Hi,
> 
> On 28. 02. 23 4:27, Wei Gao via ltp wrote:
> > +	for (size_t i = 0; i < 5000; i++) {
> > +		/* use same logic in kernel legacy_parse_param function */
> > +		const size_t len = i * (strlen(val) + 2) + (strlen(val) + 1) + 2;
> > +
> > +		if (!strcmp(tst_device->fs_type, "btrfs") && len <= (size_t)pagesize)
> > +			TST_EXP_PASS_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0));
> > +		else
> > +			TST_EXP_FAIL_SILENT(fsconfig(fd, FSCONFIG_SET_STRING, "\x00", val, 0),
> > +					    EINVAL);
> > +	}
> 
> This special case for Btrfs is wrong. Btrfs is just the last major
> filesystem which does not implement its own fsconfig() handlers in the
> latest kernel release. But on older kernels, the same applies to other
> filesystems as well.
> 
For old kernel btrfs ONLY can update legacy_parse_param() so above logic will pass.
> Any other filesystem that still uses legacy_parse_param() and has the CVE
> fix applied will fail this test with exactly 117 error messages on x86.
> That's how many iterations it takes to fill 4KB buffer with the test string.
I expect most of other scenario will use new parse_param function instead of legacy_parse_param.
The security fix should use commit which change parse function instead of update old legacy_parse_param(). 


> 
> -- 
> Martin Doucha   mdoucha@suse.cz
> QA Engineer for Software Maintenance
> SUSE LINUX, s.r.o.
> CORSO IIa
> Krizikova 148/34
> 186 00 Prague 8
> Czech Republic
> 


More information about the ltp mailing list