diff options
| author | Sun Ke <sunke32@huawei.com> | 2021-12-16 17:32:19 +0800 |
|---|---|---|
| committer | Eryu Guan <guaneryu@gmail.com> | 2021-12-19 23:24:56 +0800 |
| commit | 58e358032ac1f50acdb66615c04875d5375a6053 (patch) | |
| tree | bbd7afb069a4dafff53766bfd044205788e6c024 | |
| parent | 0d04edb16471eac30e28f00bffd493e0eaf032eb (diff) | |
| download | xfstests-dev-58e358032ac1f50acdb66615c04875d5375a6053.tar.gz | |
ext4: illegal memory access caused by quota index information error
The quota index information in the image is tampered, causing
illegal memory access.
It is a regression test for kernel commits
- 9bf3d2033129 quota: check block number when reading the block in quota file
- d0e36a62bd4c quota: correct error number in free_dqentry()
Signed-off-by: Sun Ke <sunke32@huawei.com>
Reviewed-by: Eryu Guan <guaneryu@gmail.com>
Signed-off-by: Eryu Guan <guaneryu@gmail.com>
| -rwxr-xr-x | tests/ext4/055 | 54 | ||||
| -rw-r--r-- | tests/ext4/055.out | 2 |
2 files changed, 56 insertions, 0 deletions
diff --git a/tests/ext4/055 b/tests/ext4/055 new file mode 100755 index 0000000000..8f466f1b03 --- /dev/null +++ b/tests/ext4/055 @@ -0,0 +1,54 @@ +#! /bin/bash +# SPDX-License-Identifier: GPL-2.0 +# Copyright (c) 2021 Huawei. All Rights Reserved. +# +# FS QA Test 055 +# +# The preceding illegal memory access problem occurs due to tampering with the +# quota index information in the image. +# +# Regression test for kernel +# commit 9bf3d2033129 quota: check block number when reading the block in quota file +# commit d0e36a62bd4c quota: correct error number in free_dqentry() +# +# The test is based on a testcase from Zhang Yi <yi.zhang@huawei.com>. +# +. ./common/preamble +_begin_fstest auto quota + +# real QA test starts here +_require_scratch_nocheck +_supported_fs ext4 +_require_user fsgqa +_require_user fsgqa2 +_require_command "$DEBUGFS_PROG" debugfs + +echo "Silence is golden" + +# The 1K blocksize is designed for debugfs. +_scratch_mkfs "-F -O quota -b 1024" > $seqres.full 2>&1 + +# Start from 0, fill block 1 with 6,replace the original 2. +# The purpose is change the normal index order from 1->2->3->4->5 to 1->6->0. +$DEBUGFS_PROG -w -R "zap_block -o 0 -l 1 -p 6 -f <3> 1" $SCRATCH_DEV >> $seqres.full 2>&1 +_scratch_mount >> $seqres.full 2>&1 + +# Quota with user id 0 switch to quota with user id fsgqa, quota with user id 0 should +# be release, but it can not be released because of block 6 is used by other quota. +chown fsgqa:fsgqa $SCRATCH_MNT >> $seqres.full 2>&1 +touch $SCRATCH_MNT/foo >> $seqres.full 2>&1 + +# In the process of deleting foo, will get the next block is 0 from block 6. +# Block 0 is illegitimate, because it is the superblock of quota file. +# It will take magic number from block 0 as block number, and assign block number to +# info->dqi_free_blk +rm -f $SCRATCH_MNT/foo + +# Switch the quota, the wrong block number will be larger then INX_MAX, and it will be +# return as a error code. Since the error code is not available, dqget() will change it +# to a invalid address, use this address will trigger problem. +chown fsgqa2:fsgqa2 $SCRATCH_MNT >> $seqres.full 2>&1 + +# success, all done +status=0 +exit diff --git a/tests/ext4/055.out b/tests/ext4/055.out new file mode 100644 index 0000000000..e806fb565a --- /dev/null +++ b/tests/ext4/055.out @@ -0,0 +1,2 @@ +QA output created by 055 +Silence is golden |