From patchwork Tue May 16 22:46:15 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Biggers X-Patchwork-Id: 9729751 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 1C3F6602DB for ; Tue, 16 May 2017 22:47:24 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0945328470 for ; Tue, 16 May 2017 22:47:24 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id EF8AA285EA; Tue, 16 May 2017 22:47:23 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 63A6228470 for ; Tue, 16 May 2017 22:47:23 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753348AbdEPWrW (ORCPT ); Tue, 16 May 2017 18:47:22 -0400 Received: from mail-pg0-f66.google.com ([74.125.83.66]:34032 "EHLO mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751342AbdEPWrW (ORCPT ); Tue, 16 May 2017 18:47:22 -0400 Received: by mail-pg0-f66.google.com with SMTP id u187so22901359pgb.1; Tue, 16 May 2017 15:47:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=CMxUJ7HqAO34yfcmiAeNohN3AKmhh67pMzUoQriW78A=; b=h+cUllqZyowE+RlRrnpIqMiFgS3/Ih+JqotXTPj6NtlklX15HIPG7Cxwupbldg4Pia iyaH0w4SmE4LfjBG/DGS9n7TvewbMVZIhLW3T0criL8WSFJ4R1F5RzwAVEnF4Us1Z3+G csseo8VIv8D9GidWsMXrfoIy8gXXij15ISNz8RHtrzjQSzpSHzzPscHG4yhYDxYhL60C Zt31kJtyO9C56Bg9enymQEBoSr/kEcVXTPeBnGr9jigXZR4w1MYmxN92kV8daCkY1zzN loefA9mJRnTi04+1ZDAkUQz45WLQhXUH4gAM5UVcOGrgy/CaU/X3OiamMiiKhgycEqpo gbZQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=CMxUJ7HqAO34yfcmiAeNohN3AKmhh67pMzUoQriW78A=; b=lbFI2eXOO/Q8Kwr2sT6FL5tUUjkSqzm24Q8bPvOd2kFYfXOA0Z/dr6BQdHeql2whWG rSropq4Gy2RLjvaujrkcXVdbcd3eObEQywYoKxzpJ38sBiltH1rQTpKvQzsqHQOktzHq /9iaJ//DOUwN2cC8uHriz1+uh4d8qHtaNBLSIOk4IsYE1kzg2QCA+9/Ns3NAqIKkkyJ4 f5ZPdamhBAaoRgN2vExtJ2JbwEva/FX/1VYpk3LvO8/l4NqFkn7FG78kCwjLTVBT9C4W ZXUcniD4t85V92X971u9KSYCR55Zyio+bNGbA63JSdMfVamWoMdl44GN+OELo6khNnQj d9TQ== X-Gm-Message-State: AODbwcCSPP2IXPIAggSquONeqfxtI86rOymGF+egXC8CAfqTZsQDm4Jf oJmsuYzqnnfZCg== X-Received: by 10.99.142.73 with SMTP id k70mr414613pge.0.1494974841102; Tue, 16 May 2017 15:47:21 -0700 (PDT) Received: from ebiggers-linuxstation.kir.corp.google.com ([100.119.30.131]) by smtp.gmail.com with ESMTPSA id e16sm145392pfk.100.2017.05.16.15.47.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 16 May 2017 15:47:20 -0700 (PDT) From: Eric Biggers To: fstests@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, Eric Biggers Subject: [PATCH v2] generic: test that encrypted filenames are presented without collisions Date: Tue, 16 May 2017 15:46:15 -0700 Message-Id: <20170516224615.63974-1-ebiggers3@gmail.com> X-Mailer: git-send-email 2.13.0.303.g4ebf302169-goog Sender: linux-fscrypt-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fscrypt@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP From: Eric Biggers Add a test which creates many similarly-named files in an encrypted directory, then verifies they can be deleted without access to the encryption key. This is a regression test for two related bugs which caused presented names to "collide" and point to the wrong inodes. These bugs were present in the original versions of ext4 and f2fs encryption, and they were fixed in v4.12-rc1. Cc: linux-fscrypt@vger.kernel.org Signed-off-by: Eric Biggers --- tests/generic/500 | 99 +++++++++++++++++++++++++++++++++++++++++++++++++++ tests/generic/500.out | 4 +++ tests/generic/group | 1 + 3 files changed, 104 insertions(+) create mode 100755 tests/generic/500 create mode 100644 tests/generic/500.out diff --git a/tests/generic/500 b/tests/generic/500 new file mode 100755 index 00000000..0032fb68 --- /dev/null +++ b/tests/generic/500 @@ -0,0 +1,99 @@ +#! /bin/bash +# FS QA Test generic/500 +# +# Test that without the encryption key for a directory, long filenames are +# presented in a way which avoids collisions, even though they are abbreviated +# in order to support names up to NAME_MAX bytes. +# +# Regression test for: +# 6332cd32c829 ("f2fs: check entire encrypted bigname when finding a dentry") +# 6b06cdee81d6 ("fscrypt: avoid collisions when presenting long encrypted filenames") +# +# Even with these two fixes it's still possible to create intentional +# collisions. For now this test covers "accidental" collisions only. +# +#----------------------------------------------------------------------- +# Copyright (c) 2017 Google, Inc. All Rights Reserved. +# +# Author: Eric Biggers +# +# This program is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it would be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA +#----------------------------------------------------------------------- +# + +seq=`basename $0` +seqres=$RESULT_DIR/$seq +echo "QA output created by $seq" + +here=`pwd` +tmp=/tmp/$$ +status=1 # failure is the default! +trap "_cleanup; exit \$status" 0 1 2 3 15 + +_cleanup() +{ + cd / + rm -f $tmp.* +} + +# get standard environment, filters and checks +. ./common/rc +. ./common/filter +. ./common/encrypt + +# remove previous $seqres.full before test +rm -f $seqres.full + +# real QA test starts here +_supported_fs generic +_supported_os Linux +_require_scratch_encryption +_require_xfs_io_command "set_encpolicy" +_require_command "$KEYCTL_PROG" keyctl + +# set up an encrypted directory + +_new_session_keyring +_scratch_mkfs_encrypted &>> $seqres.full +_scratch_mount +mkdir $SCRATCH_MNT/edir +keydesc=$(_generate_encryption_key) +# -f 0x2: zero-pad to 16-byte boundary (i.e. encryption block boundary) +$XFS_IO_PROG -c "set_encpolicy -f 0x2 $keydesc" $SCRATCH_MNT/edir + +# Create files with long names (> 32 bytes, long enough to trigger the use of +# "digested" names) in the encrypted directory. +# +# Use 100,000 files so that we have a good chance of detecting buggy filesystems +# that solely use a 32-bit hash to distinguish files, which f2fs was doing. +# +# Furthermore, make the filenames differ only in the last 16-byte encryption +# block. This reproduces the bug where it was not accounted for that ciphertext +# stealing (CTS) causes the last two blocks to appear "flipped". +seq -f "$SCRATCH_MNT/edir/abcdefghijklmnopqrstuvwxyz012345%.0f" 100000 | xargs touch +find $SCRATCH_MNT/edir/ -type f | xargs stat -c %i | sort | uniq | wc -l + +_unlink_encryption_key $keydesc +_scratch_cycle_mount + +# Verify that every file has a unique inode number and can be removed without +# error. With the bug(s), some filenames incorrectly pointed to the same inode, +# and ext4 reported a "Structure needs cleaning" error when removing files. +find $SCRATCH_MNT/edir/ -type f | xargs stat -c %i | sort | uniq | wc -l +rm -rf $SCRATCH_MNT/edir |& head -n 10 +stat $SCRATCH_MNT/edir |& _filter_scratch + +# success, all done +status=0 +exit diff --git a/tests/generic/500.out b/tests/generic/500.out new file mode 100644 index 00000000..21ee3561 --- /dev/null +++ b/tests/generic/500.out @@ -0,0 +1,4 @@ +QA output created by 500 +100000 +100000 +stat: cannot stat 'SCRATCH_MNT/edir': No such file or directory diff --git a/tests/generic/group b/tests/generic/group index c4911b86..e754b984 100644 --- a/tests/generic/group +++ b/tests/generic/group @@ -437,3 +437,4 @@ 432 auto quick copy 433 auto quick copy 434 auto quick copy +500 auto encrypt