lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <20250712192202.707192-18-gatlin.newhouse@gmail.com>
Date: Sat, 12 Jul 2025 19:22:02 +0000
From: Gatlin Newhouse <gatlin.newhouse@...il.com>
To: linux-hardening@...r.kernel.org
Cc: Gatlin Newhouse <gatlin.newhouse@...il.com>
Subject: [RFC v1 17/17] vfs: ioctl: add logging to ioctl_file_dedupe_range() for testing

This adds a message indicating a double-fetch bug trigger for testing
the SafeFetch patchset. It add the message right before the fix for
CVE-2016-6516 [1][2] introduced by Scott Bauer [3]. Which can be tested
by first compiling the double-fetch program from [4], and running a shell
script similar to the one provided by the SafeFetch paper authors in their
artifacts repository (see: run_security_artifact.sh) [5].

In summary, you can compile the sample from [4], then clear dmesg, run
the sample with `./a.out 7 65534 1000000 0`. Then remove both files used
in the sample /tmp/test.txt and /tmp/test2.txt. Now count the bug
warning messages in dmesg before clearing dmesg again. Then enable
safefetch with `./safefetch_control.sh -hooks` followed by
`./safefetch_control.sh -adaptive 4096 4096 0` or
`./safefetch_control.sh -rbtree 4096 4096 0` where safefetch_control.sh
can be found in [5]. Now run the compiled sample again and count the bug
warning messages in dmesg.

This was my method of testing the patchset as I forward ported it from
v5.11 after fixing any merge conflicts or compiler errors.

[1] https://nvd.nist.gov/vuln/detail/CVE-2016-6516
[2] https://www.openwall.com/lists/oss-security/2016/07/31/6
[3] 10eec60ce79187686e052092e5383c99b4420a20
[4] https://github.com/wpengfei/CVE-2016-6516-exploit/tree/master/Scott%20Bauer
[5] https://github.com/vusec/safefetch-ae/
---
 fs/ioctl.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/fs/ioctl.c b/fs/ioctl.c
index 69107a245b4c..db8df94d4caa 100644
--- a/fs/ioctl.c
+++ b/fs/ioctl.c
@@ -439,6 +439,12 @@ static int ioctl_file_dedupe_range(struct file *file,
 		goto out;
 	}
 
+	// Add an extra check before the bug fix to check whether a double-fetch occurred
+	// With SafeFetch enabled this check will never get triggered because we correct
+	// the second fetch from the cache.
+	if (same->dest_count != count)
+		pr_warn("[Bug-Warning] Bug triggered\n");
+
 	same->dest_count = count;
 	ret = vfs_dedupe_file_range(file, same);
 	if (ret)
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ