This adds a message indicating a double-fetch bug trigger for testing the SafeFetch patchset. It add the message right before the fix for CVE-2016-6516 [1][2] introduced by Scott Bauer [3]. Which can be tested by first compiling the double-fetch program from [4], and running a shell script similar to the one provided by the SafeFetch paper authors in their artifacts repository (see: run_security_artifact.sh) [5].
In summary, you can compile the sample from [4], then clear dmesg, run the sample with `./a.out 7 65534 1000000 0`. Then remove both files used in the sample /tmp/test.txt and /tmp/test2.txt. Now count the bug warning messages in dmesg before clearing dmesg again. Then enable safefetch with `./safefetch_control.sh -hooks` followed by `./safefetch_control.sh -adaptive 4096 4096 0` or `./safefetch_control.sh -rbtree 4096 4096 0` where safefetch_control.sh can be found in [5]. Now run the compiled sample again and count the bug warning messages in dmesg. This was my method of testing the patchset as I forward ported it from v5.11 after fixing any merge conflicts or compiler errors. [1] https://nvd.nist.gov/vuln/detail/CVE-2016-6516 [2] https://www.openwall.com/lists/oss-security/2016/07/31/6 [3] 10eec60ce79187686e052092e5383c99b4420a20 [4] https://github.com/wpengfei/CVE-2016-6516-exploit/tree/master/Scott%20Bauer [5] https://github.com/vusec/safefetch-ae/ --- fs/ioctl.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/fs/ioctl.c b/fs/ioctl.c index 69107a245b4c..db8df94d4caa 100644 --- a/fs/ioctl.c +++ b/fs/ioctl.c @@ -439,6 +439,12 @@ static int ioctl_file_dedupe_range(struct file *file, goto out; } + // Add an extra check before the bug fix to check whether a double-fetch occurred + // With SafeFetch enabled this check will never get triggered because we correct + // the second fetch from the cache. + if (same->dest_count != count) + pr_warn("[Bug-Warning] Bug triggered\n"); + same->dest_count = count; ret = vfs_dedupe_file_range(file, same); if (ret) -- 2.25.1
