lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 28 Oct 2017 11:22:00 +0800
From:   Chen Feng <puck.chen@...ilicon.com>
To:     "Theodore Ts'o" <tytso@....edu>,
        Greg KH <gregkh@...uxfoundation.org>, <zhaoyukun@...wei.com>,
        <arnd@...db.de>, <linux-kernel@...r.kernel.org>,
        <suzhuangluan@...ilicon.com>, <dan.zhao@...ilicon.com>
Subject: Re: [PATCH RFC] random: fix syzkaller fuzzer test int overflow

Hi ted,

On 2017/10/26 23:04, Theodore Ts'o wrote:
> On Thu, Oct 26, 2017 at 04:25:15PM +0800, Chen Feng wrote:
>>
>>
>> On 2017/10/25 16:49, Theodore Ts'o wrote:
>>> Other people who have sent me fuzzer test reproducers are able to
>>> reproduce syzkaller logs into a simple C program.  Can you explain to
>>> me what the heck:
>>>
>>>> r3 = syz_open_dev$urandom(&(0x7f000000a000)="2f6465762f7572616e646f6d00", 0x0, 0x0)
>>>
>>> means?
>>
>> Take a look at this:
>>
>> https://github.com/google/syzkaller/blob/master/sys/linux/random.txt
> 
> Sorry, this *still* looks like gobbledygook.
> 
> What ioctls are you executing, and with what arguments?
> 
> *Please*, give me a C program I can compile.

I checked the ioctl. What's the purpose of RNDADDTOENTCNT ioctl to userspace?

We need to checked the user-input at credit_entropy_bits_safe.

+	if (INT_MAX - nbits < r->entropy_total)
+		return -EINVAL;
+


The test-code below:

void *random_ioctl_test(void *args)
{
	int fd = -1;
	int ret = -1;
	int test_arg = 0x7fffffff;

	fd = open("dev/urandom", 0x0, 0x0);
	if (fd < 0) {
		printf("open dev/urandom failed!\n");
		return NULL;
	}

	ret = ioctl(fd, 0x40045201, &test_arg);

	printf("random_ioctl ret=%d\n", ret);
	close(fd);
	return NULL;
}

int main(int argc, char *argv[])
{
	int ret, i;
	pthread_t thread[100];

	for (i = 0; i < 100; i++) {
		ret = pthread_create(&thread[i], NULL, random_ioctl_test, &i);
		if (ret) {
			printf("create thread %d fail with ret=%d\n", i, ret);
			return -1;
		}
	}

	for (i = 0; i < 100; i++) {
		pthread_join(thread[i], NULL);
	}
	return 0;
}


> 
> 					 -Ted
> 
> .
>

Powered by blists - more mailing lists