Date:	Mon, 20 May 2013 22:34:06 +0200
From:	Toralf Förster <toralf.foerster@....de>
To:	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: fuzz testing lets kernel audit complains in the linkat syscall only

While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
about a file in the syscall "unlinkat" - but audit does not complain when that file
was created/modified etc.

If this is intended - please press the delete button now.



Not ? Ok.

At a 32bit stable Gentoo linux with kernel 3.9.3 I got messages like:
kernel: type=1702 audit(1369079376.420:37): op=linkat action=denied pid=13536 comm="trinity-child1" path="/dev" dev="loop0" ino=8146

when I chrooted into a 32bit stable Gentoo Linux image and run a fuzz tester:
$> trinity -C 4 -m -x linkat

(4 childs, monochrome, excluded syscall "linkat" to test only those cases,
where linkat was not directly called by the fuzzer),

The appropriate log entry gives:
$> cat x
[13536] [35] unlinkat(dfd=390, pathname="
���T̫̺̳o̬̜ ì̬͎̲̟nv̖̗̻̣̹̕o͖̗̠̜̤k͍͚̹͖̼e̦̗̪͍̪͍ ̬ͅt̕h̠͙̮͕͓e̱̜̗͙̭ ̥͔̫͙̪͍̣͝ḥi̼̦͈̼v̩̟͚̞͎e͈̟̻͙̦̤-m̷̘̝̱í͚̞̦̳n̝̲̯̙̮͞d̴̺̦͕̫ ̗̭̘͎͖r̞͎̜̜͖͎̫͢ep͇r̝̯̝͖͉͎̺e̴s̥e̵̖̳͉͍̩̗n̢͓̪͕̜̰̠̦t̺̞̰i͟n̮̦̖̟g̮͍̱̻͍̜̳ ̳c̖̮̙̣̰̠̩h̷̗͍̖͙̭͇͈a̧͎̯̹̲̺̫ó̭̞̜̣̯͕s̶̤̮̩̘.̨̻̪̖͔  ̳̭̦̭̭̦̞́I̠͍̮n͇̹̪̬v̴͖̭̗̖o̸k̬̤͓͚̠͍i͜n̛̩̹͉̘̹g͙ ̠̥ͅt̰͖͞h̫̼̪e̟̩̝ ̭̠̲̫͔fe̤͇̝̱e͖̮̠̹̭͖͕l͖̲̘͖̠̪i̢̖͎̮̗̯͓̩n̸̰g̙̱̘̗͚̬ͅ ͍o͍͍̩̮͢f̖͓̦̥ ̘͘c̵̫̱̗͚͓̦h͝a̝͍͍̳̣͖͉o͙̟s̤̞.̙̝̭̣̳̼͟  ̢̻͖͓̬̞̰̦W̮̲̝̼̩̝͖i͖͖͡ͅt̘̯͘h̷̬̖̞̙̰̭̳ ̭̪̕o̥̤̺̝̼̰̯͟ṳ̞̭̤t̨͚̥̗ ̟̺̫̩̤̳̩o̟̰̩̖ͅr̞̘̫̩̼d̡͍̬͎̪̺͚͔e͓͖̝̙r̰͖̲̲̻̠.̺̝̺̟͈  ̣̭T̪̩̼h̥̫̪͔̀e̫̯͜ ̨N̟e͔̤zp̮̭͈̟é͉͈ṛ̹̜̺̭͕d̺̪̜͇͓i̞á͕̹

(the file "x" is attached, it contains the next log line of the next
trinity child too due to a missing new line).

FWIW the used Gentoo linux image is an user mode linux image.
I however just mounted it using the loop device, chrooted into it and
run the fuzzer instead of calling that image with a linux exe.

-- 
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3

View attachment "x" of type "text/plain" (1117 bytes)

Powered by blists - more mailing lists