From patchwork Tue May 2 00:15:24 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9707309 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id BA9FA60245 for ; Tue, 2 May 2017 00:16:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 77977281C3 for ; Tue, 2 May 2017 00:16:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6C64F2833C; Tue, 2 May 2017 00:16:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B6B2B28338 for ; Tue, 2 May 2017 00:16:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750972AbdEBAQA (ORCPT ); Mon, 1 May 2017 20:16:00 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:34153 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750813AbdEBAP7 (ORCPT ); Mon, 1 May 2017 20:15:59 -0400 Received: by mail-pg0-f68.google.com with SMTP id t7so18252223pgt.1; Mon, 01 May 2017 17:15:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=VIkCKydFzjw8iv83CuGxakfO9OPankdB0k9/kbYyH8o=; b=hnfSjwsHNzVtP/o+8Fo9VlPQzbyFsPOENvBWJFTTcWLUS8wlzHWuCxj2BEgSO37R+2 Leb730V/Jz7rsjbkNh0okSNYSvCXQBAi6fDqLi62GPdFfsYVJOSXkTyB6g/32fXUg1gs fZUhPZohoTW9UstEWEBx1bcf3vTS2sSpYklKmLrFgBrUjBpbALaJeYq7ZSLRFGi8Q4MN O8R+sn0rkW04TjyVPw7Omk0gpWq83+i79L3h378lpWDibAPJ7cnbmq31LDycyDQsOONk OJIHVA/dLs2QtO90nSlPBphGzxBX2VWV0tOdgeTyga32TLoYxHXlkVdNBm4DcuUNqNrL SFZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=VIkCKydFzjw8iv83CuGxakfO9OPankdB0k9/kbYyH8o=; b=QFXSKB2+A8Cv1PX81OUdfDloutArZs3E/Ynd7RixQGFcEUkNLTcECzEKVgKjRuatHL VWBvUhgNe5mjYCpy5RFzPbjSoO1Ty2oCjsA+6Ate/XHH8Aq9XCg1aIU5Bn76a3hpc9mM qLwpuhO+c99wbiqpOtnZmImeFd881bH9m1kXTi8HbJ2kkzrgfMvEGn1BoOHtOA31OUjx CB1eLDTMmbEKbwIb+FKwQF6onC0kZgb1e3Ua9gUb9iIMPsFAgpTSfUI99cjenZLP3e1T w92TXgx1Q+mB8+SfU67ZfEF1rPiVyoLMEgpQCVCp3R2/JNQ3LFqudkaRDBjeK63EO6Mh 7NvA== X-Gm-Message-State: AN3rC/6cC3tvZCW8zt2ADmh/06ZIxnrsjzdtV3wbg+T4WN+j//4FGJ4R h13ODPfWHOtRmg== X-Received: by 10.99.38.196 with SMTP id m187mr29284835pgm.195.1493684158889; Mon, 01 May 2017 17:15:58 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.119.30.131]) by smtp.gmail.com with ESMTPSA id 11sm6363869pfj.59.2017.05.01.17.15.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 01 May 2017 17:15:58 -0700 (PDT) From: Eric Biggers To: fstests@vger.kernel.org Cc: Eric Biggers , linux-fscrypt@vger.kernel.org Subject: [PATCH] generic: test that encrypted filenames are presented without collisions Date: Mon, 1 May 2017 17:15:24 -0700 Message-Id: <20170502001524.114018-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.13.0.rc1.294.g07d810a77f-goog Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers [RFC for now since the kernel fixes are currently sitting in fscrypt/master and haven't been merged to Linus's tree yet; I'll resend this once they're merged] Add a test which creates many similarly-named files in an encrypted directory, then verifies they can be deleted without access to the encryption key. This is a regression test for two related bugs which caused presented names to "collide" and point to the wrong inodes. Cc: linux-fscrypt@vger.kernel.org Signed-off-by: Eric Biggers --- tests/generic/500 | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++ tests/generic/500.out | 4 +++ tests/generic/group | 1 + 3 files changed, 104 insertions(+) create mode 100755 tests/generic/500 create mode 100644 tests/generic/500.out diff --git a/tests/generic/500 b/tests/generic/500 new file mode 100755 index 00000000..bd5d3949 --- /dev/null +++ b/tests/generic/500 @@ -0,0 +1,99 @@ +#! /bin/bash +# FS QA Test generic/500 +# +# Test that without the encryption key for a directory, long filenames are +# presented in a way which avoids collisions, even though they are abbreviated +# in order to support names up to NAME_MAX bytes. +# +# Regression test for: +# TODO_COMMIT_ID ("f2fs: check entire encrypted bigname when finding a dentry") +# TODO_COMMIT_ID ("fscrypt: avoid collisions when presenting long encrypted filenames") +# +# Even with these two fixes it's still possible to create intentional +# collisions. For now this test covers "accidental" collisions only. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Google, Inc. All Rights Reserved. +# +# Author: Eric Biggers +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/encrypt + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_encryption +_require_xfs_io_command "set_encpolicy" +_require_command "$KEYCTL_PROG" keyctl + +# set up an encrypted directory + +_new_session_keyring +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount +mkdir $SCRATCH_MNT/edir +keydesc=$(_generate_encryption_key) +# -f 0x2: zero-pad to 16-byte boundary (i.e. encryption block boundary) +$XFS_IO_PROG -c "set_encpolicy -f 0x2 $keydesc" $SCRATCH_MNT/edir + +# Create files with long names (> 32 bytes, long enough to trigger the use of +# "digested" names) in the encrypted directory. +# +# Use 100,000 files so that we have a good chance of detecting buggy filesystems +# that solely use a 32-bit hash to distinguish files, which f2fs was doing. +# +# Furthermore, make the filenames differ only in the last 16-byte encryption +# block. This reproduces the bug where it was not accounted for that ciphertext +# stealing (CTS) causes the last two blocks to appear "flipped". +seq -f "$SCRATCH_MNT/edir/abcdefghijklmnopqrstuvwxyz012345%.0f" 100000 | xargs touch +find $SCRATCH_MNT/edir/ -type f | xargs stat -c %i | sort | uniq | wc -l + +_unlink_encryption_key $keydesc +_scratch_cycle_mount + +# Verify that every file has a unique inode number and can be removed without +# error. With the bug(s), some filenames incorrectly pointed to the same inode, +# and ext4 reported a "Structure needs cleaning" error when removing files. +find $SCRATCH_MNT/edir/ -type f | xargs stat -c %i | sort | uniq | wc -l +rm -rf $SCRATCH_MNT/edir +stat $SCRATCH_MNT/edir |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/generic/500.out b/tests/generic/500.out new file mode 100644 index 00000000..21ee3561 --- /dev/null +++ b/tests/generic/500.out @@ -0,0 +1,4 @@ +QA output created by 500 +100000 +100000 +stat: cannot stat 'SCRATCH_MNT/edir': No such file or directory diff --git a/tests/generic/group b/tests/generic/group index b3051752..e1124e71 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -431,3 +431,4 @@ 426 auto quick exportfs 427 auto quick aio rw 428 auto quick +500 auto encrypt