lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <93359d1a-930f-5279-3ca8-800d5930562d@interlog.com>
Date:   Fri, 3 Aug 2018 11:06:15 -0400
From:   Douglas Gilbert <dgilbert@...erlog.com>
To:     Wanlong Gao <gaowanlong@...wei.com>,
        "Martin K. Petersen" <martin.petersen@...cle.com>,
        linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     "wencongyang (A)" <wencongyang2@...wei.com>,
        "Wanghui (John)" <john.wanghui@...wei.com>,
        guijianfeng <guijianfeng@...wei.com>, lipengfei58@...wei.com,
        qiaonuohan <qiaonuohan@...wei.com>
Subject: Re: [bug report] memory corruption panic caused by SG_IO ioctl()

On 2018-08-03 04:46 AM, Wanlong Gao wrote:
> Hi Martinand all folks,
> 
> 
> Recently we find a kernel panic with memory corruption caused by SG_IO ioctl(), 
> and it can be easily reproduced by running following reproducer about 
> minutes,any idea?

Which kernel?

And what are the underlying devices (e.g. does /dev/sg0 refer to a SATA disk,
a real SCSI disk (SAS for example), USB mass storage, etc)?

Also can you get a copy of the kernel panic?

Doug Gilbert

> 
> C reproducer:
> 
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> 
> #define _GNU_SOURCE
> 
> #include <endian.h>
> 
> #include <sys/syscall.h>
> 
> #include <unistd.h>
> 
> #include <fcntl.h>
> 
> #include <stdio.h>
> 
> #include <string.h>
> 
> #include <sys/stat.h>
> 
> #include <stdint.h>
> 
> #include <string.h>
> 
> static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
> 
> {
> 
> if (a0 == 0xc || a0 == 0xb) {
> 
> char buf[128];
> 
> sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block", (uint8_t)a1, 
> (uint8_t)a2);
> 
> return open(buf, O_RDWR, 0);
> 
> } else {
> 
> char buf[1024];
> 
> char* hash;
> 
> strncpy(buf, (char*)a0, sizeof(buf) - 1);
> 
> buf[sizeof(buf) - 1] = 0;
> 
> while ((hash = strchr(buf, '#'))) {
> 
> *hash = '0' + (char)(a1 % 10);
> 
> a1 /= 10;
> 
> }
> 
> return open(buf, a2, 0);
> 
> }
> 
> }
> 
> static void execute_one();
> 
> extern unsigned long long procid;
> 
> void loop()
> 
> {
> 
> while (1) {
> 
> execute_one();
> 
> }
> 
> }
> 
> uint64_t r[1] = {0xffffffffffffffff};
> 
> void execute_one()
> 
> {
> 
> long res = 0;
> 
> memcpy((void*)0x20000040, "/dev/sg#", 9);
> 
> res = syz_open_dev(0x20000040, 0, 0);
> 
> if (res != -1)
> 
> r[0] = res;
> 
> *(uint32_t*)0x200002c0 = 0x53;
> 
> *(uint32_t*)0x200002c4 = 0;
> 
> *(uint8_t*)0x200002c8 = 0xd;
> 
> *(uint8_t*)0x200002c9 = 0;
> 
> *(uint16_t*)0x200002ca = 0;
> 
> *(uint32_t*)0x200002cc = 0x95;
> 
> *(uint64_t*)0x200002d0 = 0x20000080;
> 
> *(uint64_t*)0x200002d8 = 0x20000000;
> 
> memcpy((void*)0x20000000, 
> "\x08\xf0\xa8\x77\xd3\xbe\x87\x5d\xda\x65\x79\x3f\xc7", 13);
> 
> *(uint64_t*)0x200002e0 = 0x20000180;
> 
> *(uint32_t*)0x200002e8 = 0x8001;
> 
> *(uint32_t*)0x200002ec = 0x10024;
> 
> *(uint32_t*)0x200002f0 = -1;
> 
> *(uint64_t*)0x200002f4 = 0x20000280;
> 
> *(uint8_t*)0x200002fc = 0;
> 
> *(uint8_t*)0x200002fd = 0;
> 
> *(uint8_t*)0x200002fe = 0;
> 
> *(uint8_t*)0x200002ff = 0;
> 
> *(uint16_t*)0x20000300 = 0;
> 
> *(uint16_t*)0x20000302 = 0;
> 
> *(uint32_t*)0x20000304 = 0;
> 
> *(uint32_t*)0x20000308 = 0;
> 
> *(uint32_t*)0x2000030c = 0;
> 
> syscall(__NR_ioctl, r[0], 0x2285, 0x200002c0);
> 
> }
> 
> int main()
> 
> {
> 
> syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
> 
> for (;;) {
> 
> loop();
> 
> }
> 
> }
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ