lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <519A88BE.8030309@gmx.de>
Date:	Mon, 20 May 2013 22:34:06 +0200
From:	Toralf Förster <toralf.foerster@....de>
To:	Linux Kernel <linux-kernel@...r.kernel.org>
Subject: fuzz testing lets kernel audit complains in the linkat syscall only

While fuzz testing a 3.9.3 kernel I'm wonder why the kernel audit does complain
about a file in the syscall "unlinkat" - but audit does not complain when that file
was created/modified etc.

If this is intended - please press the delete button now.



Not ? Ok.

At a 32bit stable Gentoo linux with kernel 3.9.3 I got messages like:
kernel: type=1702 audit(1369079376.420:37): op=linkat action=denied pid=13536 comm="trinity-child1" path="/dev" dev="loop0" ino=8146

when I chrooted into a 32bit stable Gentoo Linux image and run a fuzz tester:
$> trinity -C 4 -m -x linkat

(4 childs, monochrome, excluded syscall "linkat" to test only those cases,
where linkat was not directly called by the fuzzer),

The appropriate log entry gives:
$> cat x
[13536] [35] unlinkat(dfd=390, pathname="
���T̫̺̳o̬̜ ì̬͎̲̟nv̖̗̻̣̹̕o͖̗̠̜̤k͍͚̹͖̼e̦̗̪͍̪͍ ̬ͅt̕h̠͙̮͕͓e̱̜̗͙̭ ̥͔̫͙̪͍̣͝ḥi̼̦͈̼v̩̟͚̞͎e͈̟̻͙̦̤-m̷̘̝̱í͚̞̦̳n̝̲̯̙̮͞d̴̺̦͕̫ ̗̭̘͎͖r̞͎̜̜͖͎̫͢ep͇r̝̯̝͖͉͎̺e̴s̥e̵̖̳͉͍̩̗n̢͓̪͕̜̰̠̦t̺̞̰i͟n̮̦̖̟g̮͍̱̻͍̜̳ ̳c̖̮̙̣̰̠̩h̷̗͍̖͙̭͇͈a̧͎̯̹̲̺̫ó̭̞̜̣̯͕s̶̤̮̩̘.̨̻̪̖͔  ̳̭̦̭̭̦̞́I̠͍̮n͇̹̪̬v̴͖̭̗̖o̸k̬̤͓͚̠͍i͜n̛̩̹͉̘̹g͙ ̠̥ͅt̰͖͞h̫̼̪e̟̩̝ ̭̠̲̫͔fe̤͇̝̱e͖̮̠̹̭͖͕l͖̲̘͖̠̪i̢̖͎̮̗̯͓̩n̸̰g̙̱̘̗͚̬ͅ ͍o͍͍̩̮͢f̖͓̦̥ ̘͘c̵̫̱̗͚͓̦h͝a̝͍͍̳̣͖͉o͙̟s̤̞.̙̝̭̣̳̼͟  ̢̻͖͓̬̞̰̦W̮̲̝̼̩̝͖i͖͖͡ͅt̘̯͘h̷̬̖̞̙̰̭̳ ̭̪̕o̥̤̺̝̼̰̯͟ṳ̞̭̤t̨͚̥̗ ̟̺̫̩̤̳̩o̟̰̩̖ͅr̞̘̫̩̼d̡͍̬͎̪̺͚͔e͓͖̝̙r̰͖̲̲̻̠.̺̝̺̟͈  ̣̭T̪̩̼h̥̫̪͔̀e̫̯͜ ̨N̟e͔̤zp̮̭͈̟é͉͈ṛ̹̜̺̭͕d̺̪̜͇͓i̞á͕̹

(the file "x" is attached, it contains the next log line of the next
trinity child too due to a missing new line).

FWIW the used Gentoo linux image is an user mode linux image.
I however just mounted it using the loop device, chrooted into it and
run the fuzzer instead of calling that image with a linux exe.

-- 
MfG/Sincerely
Toralf Förster
pgp finger print: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 7DB6 9DA3

View attachment "x" of type "text/plain" (1117 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ